Configuring a Jenkins Multibranch Pipeline to Specify the Trust Permissions with Job DSL

Featured image for sharing metadata for article

When creating a Jenkins Multibranch pipeline, you may find that you want to tweak the permissions that are used to allow specifying whether you want to trust PRs from only people with Write/Admin access to a repo, everyone, or no one.

If your repos are public, then this is more of an issue as seen recently with crypto-mining on GitHub.com as well as various repeated attempts at hacking infrastructure by modifying Jenkins configuration in repos, which are then run unsandboxed on a remote build agent.

If you want to configure this with Job DSL, you'll find that it's not actually possible out-of-the-box with the DSL. However, we've got emerino's answer on Stack Overflow and Ivan's comment on JIRA to help us:

multibranchPipelineJob('...') {
  configure {
    def traits = it / navigators / 'org.jenkinsci.plugins.github__branch__source.GitHubSCMNavigator' / traits
      traits << 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait' {
        strategyId 2
        trust(class: 'org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustEveryone') // this is the most open, and likely not required unless you're in a completely private GitHub environment!
      }
    // note that these also are required, otherwise it leads to only the `ForkPullRequestDiscoveryTrait` being taken into account
    traits << 'org.jenkinsci.plugins.github_branch_source.BranchDiscoveryTrait' {
      strategyId 1
    }
    traits << 'org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait' {
      strategyId 2
    }
  }
}

Note that the IDs can be discovered from the GitHub branch source plugin's source code.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #jenkins #job-dsl.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.