Restrict automatic runs of PR jobs #129
Conversation
bensze01
added
needs: ci
needs: review
needs: reviewer
bug
bensze01
force-pushed
the
dev/bensze01/auto-build-allowlist
branch
from
746e532 to
f9b30a7
Compare
Only run PR job if one of the following is true: - The author of the PR is a member of a trusted Github team - The job is triggered by the Github merge queue (thus the PR has been reviewed by a gatekeeper) - The job was started manually from the Jenkins UI Signed-off-by: Bence Szépkúti <[email protected]>
bensze01
force-pushed
the
dev/bensze01/auto-build-allowlist
branch
from
f9b30a7 to
d59acb6
Compare
|
|
||
| @NonCPS | ||
| boolean is_pr_author_member_of_team(String repo, int pr) { | ||
| String credentials = is_open_ci_env ? 'mbedtls-github-token' : 'd015f9b1-4800-4a81-86b3-9dbadc18ee00' |
There was a problem hiding this comment.
Please explain the UUID.
There was a problem hiding this comment.
On the internal CI we don't have user-friendly names for our credential IDs, only UUIDs - we should probably ask the Infra team to rename the credentials and adopt the names the OpenCI uses at some point so we can get rid of all similar code fragments.
| environ.set_tls_pr_environment(is_production) | ||
| boolean is_merge_queue = env.BRANCH_NAME ==~ /gh-readonly-queue\/.*/ | ||
|
|
||
| if (!is_merge_queue && currentBuild.rawBuild.getCause(Cause.UserIdCause) == null) { |
There was a problem hiding this comment.
Where can I find documentation that explains getCause(Cause.UserIdCause)?
The documentation of Cause.UserIdCause states
A build is started by an user action.
It doesn't explain what a user action is, and the documentation of getCause doesn't explain when what that function returns (and in particular when it returns null).
From what you've written, I guess that:
- A user action is something that happens on Jenkins. Only team members have access to jenkins, so if
getCause(Cause.UserIdCause)returns a non-null value, it means someone with a Jenkins account explicitly triggered the build. - The automation that triggers builds from GitHub events is not a Jenkins user.
getCausereturnsnullif there is no Jenkins user associated with the build trigger.
How can I validate these guesses?
There was a problem hiding this comment.
getCause iterates over all causes of a build, and returns a cause that is an instance of type - if no such cause is found, it returns null.
The following are all the causes produced by the various triggers used on our CI:
Cause.UserIdCause- used for builds started through the web UI or the REST api using a user's personal access tokenReplayCause- used in conjunction withCause.UserIdCausefor replayed buildsRebuildCause- used on the OpenCI in conjuction withCause.UserIdCauseand all the causes of the original build (!) if you click the other, "triangular" rebuild button on their web UI, (this one picks up the most recent CI scripts, instead of "replaying" like the other button does. Unfortunately both are labelled "Rebuild" on the OpenCI.)BranchIndexingCause- used for builds stared while scanning a repository, eg. the nightly scan of the repo for PR-merge jobsBranchEventCause- used for builds started by a github webhookTimerTrigger.TimerTriggerCause- used for builds started by a plain timerParameterizedTimerTriggerCause- used for builds started by a parameterized timer
On the internal CI, these causes each have their own pictograms that you can hover over for a short description of the build cause on the page listing all the runs of a single branch.
On both CIs, you can get a list of all causes of a build, including their full qualified classnames by appending api/json?pretty=true to the classic web UI's build page.
Examples for each build cause:
vars/common.groovy
Outdated
| String credentials = is_open_ci_env ? 'mbedtls-github-token' : 'd015f9b1-4800-4a81-86b3-9dbadc18ee00' | ||
| def github = Connector.connect(null, Connector.lookupScanCredentials(currentBuild.rawBuild.parent, null, credentials)) | ||
| def author = github.getRepository(repo).getPullRequest(pr).user | ||
| return github.getOrganization('Mbed-TLS').getTeamBySlug('mbed-tls-reviewers').hasMember(author) |
There was a problem hiding this comment.
As discussed in chat, we should be more robust here and also allow mbed-tls-developers (without depending on how the lists may be nested on GitHub).
Alternatively, does the GitHub API let us test “does the user have write access on the repository?”? That would be an acceptable condition here.
There was a problem hiding this comment.
Both are possible - I went with checking for write access, because that approach makes half as many calls to the Github REST api.
bensze01
force-pushed
the
dev/bensze01/auto-build-allowlist
branch
2 times, most recently
from
bdd5c2d to
674f6ef
Compare
Signed-off-by: Bence Szépkúti <[email protected]>
bensze01
force-pushed
the
dev/bensze01/auto-build-allowlist
branch
from
674f6ef to
7c69a2c
Compare
|
@gilles-peskine-arm @paul-elliott-arm I've updated the PR descriptions with the test runs I've run so far. |
bensze01
added
approved
|
I started a test run with an expected failure, to make sure we haven't somehow broken the error reporting path. If that works as expected (as well as the pass-expected test runs that are still running), then I'm happy with the testing. |
|
I've looked at the CI results and they look fine to me. Ok to merge if Paul agrees. |
|
Agreed, everything looks good. Merging. |
Only run PR job if one of the following is true:
Test runs: