Details
-
Story
-
Resolution: Done
-
Major
-
None
-
devex docs #238 May 18-June 1, devex docs #239 June 1-June 15, devex docs #240 Jun 15-Jun 29
-
3
-
Documentation (Ref Guide, User Guide, etc.), User Experience
-
---
-
---
Description
1. Proposed title of this feature request
Pipelines As Code, Pull Request Pipeline Run Generation Source, PR vs DefaultBranch
2. What is the nature and description of the request?
At the present time when a pipeline is run during a PR, the .tekton folder is pulled from the Contents of the PR.
The customer would like some method, for pipelines generated in a given repo to be generated from the HEAD of the default branch instead of the Pull Request.
Additionally, but not as important, like the /test flag, a /test-pr flag, when this mode is enabled that people explicitly called out in the owner's file with some method, (approvers, reviewers, pr-testers, etc), can run to test the contents of the PR instead of the DefaultBranch.
This is to prevent accidental or intentional privilege escalation by injecting content into the PR that gets run.
This is how the customer operates regular Tekton, the Pipeline/PipelineRun Configurations on the cluster track the Head of the default branch.
3. Why does the customer need this? (List the business requirements here)
Impact is to reduce potetional security risks with privilege escaltion within the contents of a pipeline.
4. List any affected packages or components.
OpenShift Pipelines
Pipelines As Code
Attachments
Issue Links
- documents
-
SRVKP-2896 Pipelines As Code, Pull Request Pipeline Run Generation Source, PR vs HEAD
-
- Closed
-
- links to