-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configurable minimum permissions for triggers #60
Add configurable minimum permissions for triggers #60
Conversation
@bluesliverx It would be great to get this merged/released soon. Our GitHub org has a lot of users, but we trust only a subset of them for certain repositories. |
@pascal-hofmann I am not sure I understand any reason for this change. For example, "NONE" equals "allow untrusted builds" and wording is confusing. Am I not understanding something critical here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments on this PR. It doesn't make sense to me
src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRReviewBranchProperty.java
Outdated
Show resolved
Hide resolved
Hi, Edit: The existing issue types don't make much sense and request a lot of information that's not relevant. I'll update the PR description / commit message instead. |
54ef976
to
a2fe5b6
Compare
@lprimak I updated the PR description to make the intent/reasoning behind this PR clearer. PS: I converted the PR to a draft because I was not able to test the latest code changes yet. I'll also add an updated screenshot once this is done. |
75fde26
to
c8a12d2
Compare
Ok, I can see the issue with private repositories. |
c8a12d2
to
92c36fd
Compare
I opened #61 for this. |
9d1174a
to
f95d24e
Compare
@pascal-hofmann I already reviewed it (repeated code comments, etc) |
Edit: Found it and pushed the refactored version. |
f95d24e
to
a69c6b6
Compare
For private repositories people with `Read` role (aka `pull` permission) are seen as collaborators by the GitHub API. This means, they were able trigger builds with older versions of the plugin. This change fixes this, and also adds the option to limit triggering of builds to repository admins. The existing `allowUntrusted` toggle is dropped from the UI. This change adds a new drop-down `Minimum Permissions on repository to trigger the build` with these options: - Only users with admin permission - Only users that can push to the repository (default) - Allow untrusted users to trigger the build
a69c6b6
to
00d64c4
Compare
* | ||
* @return the strategy options. | ||
*/ | ||
@NonNull |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Repeated code. Needs refactor
* | ||
* @return the strategy options. | ||
*/ | ||
@NonNull |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Repeated code. Needs refactor
@@ -14,12 +19,13 @@ | |||
*/ | |||
public class TriggerPRReviewBranchProperty extends BranchProperty { | |||
private boolean allowUntrusted; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be removed along with it's getters and setters
@@ -30,6 +36,18 @@ public void setAllowUntrusted(boolean allowUntrusted) { | |||
this.allowUntrusted = allowUntrusted; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be removed
Can we just remove "allow unstrusted" from all the code instead of deprecating it? |
I‘m not sure what will happen with existing configurations if I do that. I thought this way things just continue to work as expected. If that’s not desired I can remove it completely. What do you prefer? |
@bluesliverx what do you think? |
Hey, |
Sorry, finally getting back to this project. After looking through the code, I believe it is done the correct way. While the allowUntrusted flag still shows up in the code, it is marked deprecated and the value is handled correctly to set the new value. I like this quite a bit, thanks for the improvement! |
I'm just trying to get the PR to build and then I'll merge. Also, there is a new label type that was just barely merged. I'll work on getting this same functionality added to that after it builds/merges. Unless you beat me to it and then by all means add it to the label trigger (#62) @pascal-hofmann |
This has been released in 96.v9ff13b69dd66. |
For private repositories people with
Read
role (akapull
permission) are seen as collaboratorsby the GitHub API. This means, they were able trigger builds with older versions of the plugin.
This change fixes this, and also adds the option to limit triggering of builds to repository admins.
The existing
allowUntrusted
toggle is dropped from the UI.This change adds a new drop-down
Minimum Permissions on repository to trigger the build
with these options:Use-case for the "admin" part:
.github/CODEOWNERS
).Jenkinsfile
and other scripts that are used in the build could be modified by people with bad intend / hacked accounts. So we also want to be able to limit triggering of builds to admins only.