Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added monitor for release jenkins agents #262

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Jul 7, 2023

Main Changes

As discussed in nodejs/build#3414, this add a new pipeline and files to manage alerts from the release machines, following the same settings as per the test machines.

Important

In order to make this new pipeline work we will need to include two secrets in the CI:

  • JENKINS_RELEASE_USERNAME
  • JENKINS_RELEASE_TOKEN

How to generate the token

Contest

close nodejs/build#3414

Changelog

jenkins-token: ${{ secrets.JENKINS_RELEASE_TOKEN }}
# Issues
generate-issue: true
issue-assignees: 'UlisesGascon'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@richardlau not sure if makes sense to assign the issues to me, as I can't access to that Jenkins.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hoping that won't be the case for long 🙂.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What level of access does the token give to the release jenkins instance? Just want to understand what the potential security impact might be.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mhdawson AFAIK we currently do not have a token with access to the release Jenkins instance.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@richardlau right, but I think this would require one. I'm trying to understand what the risk of having a token with access to the release Jenkins in a public GitHub repo is.

Copy link
Member Author

@UlisesGascon UlisesGascon Jul 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we can limit the surface if we use read-only tokens. Not sure how much granularity (limit to compute) Jenkins offers currently for this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depending on how we can limit the tokens we might also want to have the actions run in a private repo?

Copy link
Member Author

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some open questions 🤔

Co-authored-by: Richard Lau <rlau@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Should we extend jenkins-alerts to release machines?
3 participants