Skip to content
This repository has been archived by the owner on Nov 25, 2022. It is now read-only.

Commit

Permalink
[ci] Add mechanism for trust on certain CI scripts (apache#12604)
Browse files Browse the repository at this point in the history
This makes it so changes to certain files from users not listed in
`CONTRIBUTING.md` are not tested in CI. This is necessary since these
scripts run on the baremetal EC2 instances and not inside Docker
containers, so they can affect other builds and potentially grab Jenkins
secrets. This checks out the version from the upstream for the listed
files after running `git checkout`. Tested in CI: [positive](https://ci.tlcpack.ai/blue/organizations/jenkins/tvm/detail/PR-12604/6/pipeline/) and [negative](https://ci.tlcpack.ai/blue/organizations/jenkins/tvm/detail/PR-12604/9/pipeline/)
  • Loading branch information
driazati authored and xinetzone committed Nov 25, 2022
1 parent bef18aa commit 9294be6
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 1 deletion.
27 changes: 26 additions & 1 deletion Jenkinsfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions ci/jenkins/Prepare.groovy.j2
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ def init_git() {
""",
label: 'Update git submodules',
)
checkout_trusted_files()
}

def docker_init(image) {
Expand Down Expand Up @@ -98,6 +99,30 @@ def cancel_previous_build() {
}
}

def checkout_trusted_files() {
// trust everything from branch builds
if (!env.BRANCH_NAME.startsWith('PR-')) {
return;
}

// trust peoople listed in CONTRIBUTING.md
grep_code = sh(
returnStatus: true,
script: "git show '${upstream_revision}:CONTRIBUTORS.md' | grep '@${env.CHANGE_AUTHOR}'",
label: 'Check if change is from a contributor',
)

if (grep_code == 1) {
// Any scripts that run on the bare host and not inside a Docker container
// (especially those that access secrets) should be checked out here so
// only trusted versions are used in CI
sh(
script: "git checkout ${upstream_revision} ci/scripts/.",
label: 'Check out trusted files',
)
}
}

def should_skip_ci(pr_number) {
if (env.BRANCH_NAME == null || !env.BRANCH_NAME.startsWith('PR-')) {
// never skip CI on build sourced from a branch
Expand Down

0 comments on commit 9294be6

Please sign in to comment.