Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase privilege of github-bot on Jenkins #2394

Closed
mmarchini opened this issue Jul 25, 2020 · 3 comments
Closed

Increase privilege of github-bot on Jenkins #2394

mmarchini opened this issue Jul 25, 2020 · 3 comments

Comments

@mmarchini
Copy link
Contributor

I just added github-bot credentials to nodejs/reliability so that we can generate daily reports of failures in the CI via GitHub Actions. Unfortunately, it seems like the bot doens't have enough permissions on Jenkins, which leads to ncu-ci failing:

Run ncu-ci walk pr --stats=true --markdown $PWD/results.md
  ncu-ci walk pr --stats=true --markdown $PWD/results.md
  shell: /bin/bash -e {0}
- Querying https://ci.nodejs.org/job/node-test-pull-request/api/json?tree=builds%5Burl%2Cresult%5D
TypeError: Cannot read property 'filter' of undefined
    at filterBuild (/opt/hostedtoolcache/node/12.18.2/x64/lib/node_modules/node-core-utils/lib/ci/ci_result_parser.js:898:6)
    at listBuilds (/opt/hostedtoolcache/node/12.18.2/x64/lib/node_modules/node-core-utils/lib/ci/ci_result_parser.js:912:18)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async WalkCommand.initialize (/opt/hostedtoolcache/node/12.18.2/x64/lib/node_modules/node-core-utils/bin/ncu-ci:290:20)
    at async main (/opt/hostedtoolcache/node/12.18.2/x64/lib/node_modules/node-core-utils/bin/ncu-ci:391:3)
##[error]Process completed with exit code 1.

https://github.com/nodejs/reliability/runs/910446091?check_suite_focus=true

I tried to run the same command (ncu-ci walk pr --stats=true --markdown $PWD/results.md) on my machine with my credentials and with bot credentials. The command works with my credentials and it fails with bot credentials. Not sure which permissions it needs in order to make the required API requests to Jenkins. Also, we intend to use the bot credentials to start CI via label, which means the bot will need permission to start CI runs.

Can we add the same permissions we have to @nodejs/collaborators to @nodejs/Bots (or to the user @nodejs-github-bot? cc @nodejs/jenkins-admins
@mmarchini mmarchini mentioned this issue Jul 25, 2020
Closed
@richardlau
Copy link
Member

If the bot is to have the same permissions as a collaborator, could it not be added to the @nodejs/collaborators team? We don’t, AFAIK, have a good method for restoring permissions after CI lockdown for security releases (https://github.com/nodejs/build/blob/master/doc/jenkins-guide.md#security-releases) other than manually reentering the entries so I would prefer not to have to add more.

@mmarchini
Copy link
Contributor Author

@nodejs/bots already has the same write permission to nodejs/node as @nodejs/collaborators, so I think it should be fine. I suggested giving permissions to the bot team to give it only the least privilege it needs, but your point on it being hard to restore permissions after lockdown makes sense. I'll open an issue on nodejs/admin to request this. Let's keep this one open until we reach a decision there.

@mmarchini mmarchini mentioned this issue Jul 27, 2020
Closed
@mmarchini
Copy link
Contributor Author

Bot was added to collaborators which fixed my issue, so closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmarchini @richardlau