Fix unowned plugin reference #1733
Conversation
| `["github.com/buildkite-unofficial/ping#master"]`, | ||
| []*Plugin{&Plugin{ | ||
| Location: `github.com/buildkite-unofficial/ping`, | ||
| `["github.com/buildkite-plugins/fake-plugin#master"]`, |
There was a problem hiding this comment.
Does the agent have special behaviour for handling plugins in the github.com/buildkite-plugins org vs. plugins in third party GH orgs?
I assume this is OK because none of the tests are checking the special buildkite-plugins form (docker-compose#v3.7.0), but I thought it was worth checking.
There was a problem hiding this comment.
Yeah I think that's the purpose of this test — it should not be in buildkite or buildkite-plugins.
There was a problem hiding this comment.
ah good call! in that case, could someone with github admin superpowers create a buildkite org that's neither buildkite nor buildkite-plugins, and then we could use that?
edit: see paul's second comment
There was a problem hiding this comment.
Do we need to register another GitHub org for testing this?
Or paramerise some test things so that we can use an existing one that we do already control?
There was a problem hiding this comment.
Does the agent have special behaviour for handling plugins in the github.com/buildkite-plugins org vs. plugins in third party GH orgs?
TIL this happens server-side, not agent-side.
case paths.length
when 1
"github.com/buildkite-plugins/#{add_plugin_suffix(paths.first, uri.fragment)}"
when 2
"github.com/#{paths.first}/#{add_plugin_suffix(paths.last, uri.fragment)}"
else
source
endThere was a problem hiding this comment.
(So, I think it's fine that we use github.com/buildkite-plugins for testing, unless we're really worried about future-proofing it against future agent-side handling of this)
There was a problem hiding this comment.
Good idea! Maybe you could use this demo org for now?
|
i might leave it as is for now. if we move the repo-handling agentside, we can update this test. |
We had a report on hackerone (only available to buildkite staff unfortunately!), reporting that one of our plugin definitions in the plugin tests refers to a org/repo combo that doesn't belong to buildkite.
While this currently poses no security risk as we don't actually clone or run the plugins as part of the tests, it's not out of the question that we might run/clone plugins as part of tests in the future, so we should change this reference to something that we own, just in case.