-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added monitor for release jenkins agents #262
base: main
Are you sure you want to change the base?
Added monitor for release jenkins agents #262
Conversation
jenkins-token: ${{ secrets.JENKINS_RELEASE_TOKEN }} | ||
# Issues | ||
generate-issue: true | ||
issue-assignees: 'UlisesGascon' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richardlau not sure if makes sense to assign the issues to me, as I can't access to that Jenkins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hoping that won't be the case for long 🙂.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What level of access does the token give to the release jenkins instance? Just want to understand what the potential security impact might be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mhdawson AFAIK we currently do not have a token with access to the release Jenkins instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richardlau right, but I think this would require one. I'm trying to understand what the risk of having a token with access to the release Jenkins in a public GitHub repo is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we can limit the surface if we use read-only tokens. Not sure how much granularity (limit to compute) Jenkins offers currently for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on how we can limit the tokens we might also want to have the actions run in a private repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some open questions 🤔
Co-authored-by: Richard Lau <rlau@redhat.com>
Main Changes
As discussed in nodejs/build#3414, this add a new pipeline and files to manage alerts from the release machines, following the same settings as per the test machines.
Important
In order to make this new pipeline work we will need to include two secrets in the CI:
JENKINS_RELEASE_USERNAME
JENKINS_RELEASE_TOKEN
How to generate the token
Contest
close nodejs/build#3414
Changelog