Add permissions file for groovy-sandbox #2602
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
https://github.com/jenkinsci/groovy-sandbox was moved into the
jenkinsci
org long ago, but it was still configured to use Kohsuke's parent POM and release to Maven Central. For the past four years this library has only been released to https://repo.jenkins-ci.org/, and only as part of Jenkins security advisories, which bypass the permissions set by this repository. I would like to be able to release this library to https://repo.jenkins-ci.org/ independently of security advisories.For additional context, the last Maven Central release of the library was version 1.19 back in April 2018. However, even before that, versions 1.13 and 1.16, which were part of Jenkins security advisories, never got mirrored to Maven Central, leading to confusion for non-Jenkins consumers. In jenkinsci/groovy-sandbox#58 we updated the library's readme to indicate that all new versions would only be released to https://repo.jenkins-ci.org/releases, and later in jenkinsci/groovy-sandbox#63 we started explicitly discouraging all non-Jenkins usage of the library.
See also jenkinsci/groovy-sandbox#76. The users listed in the new permission file are users who are listed in
permissions/script-security-plugin.yml
(which should be the only plugin consuminggroovy-sandbox
) that are still active in the Jenkins project. Eventually I would like to move this library into https://github.com/jenkinsci/script-security-plugin, but it will need its own permissions file either way.Submitter checklist for adding or changing permissions
Always
For a new permissions file only
permissions/
directoryartifactId
(pom.xml) is used forname
(permissions YAML file).groupId
/artifactId
(pom.xml) are correctly represented inpath
(permissions YAML file)plugin-${artifactId}.yml
for pluginsWhen adding new uploaders (this includes newly created permissions files)
Make sure to@
mention an existing maintainer to confirm the permissions request, if applicableMake sure to@
mention the users being added so their GitHub account names are known if they require GitHub merge access (see below).Reviewer checklist (not for requesters!)
Check this if newly added person also needs to be given merge permission to the GitHub repo (please @ the people/person with their GitHub username in this issue as well). If needed, it can be done using an IRC Bot command(Not needed)$pluginId Developers
team hasAdmin
permissions while granting the access.@Wadeck
) in this pull request. If an email contact is changed, wait for approval from the security officer.There are IRC Bot commands for it