Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2896

Pipelines As Code, Pull Request Pipeline Run Generation Source, PR vs HEAD

XMLWordPrintable

    • Pipelines As Code, Pull Request Pipeline Run Generation Source, PR vs HEAD
    • False
    • None
    • False
    • To Do
    • Hide
      Pipelines as Code let you know define the provenance source of the pipelineruns from the default branch.

      By default on a Push or a Pull Request, Pipelines as Code will fetch the
      PipelineRun definition from the branch of where the event has been triggered.

      This behavior can be changed by setting the setting pipelinerun_provenance.
      The setting currently accept two values:

          source: The default behavior, the PipelineRun definition will be fetched
          from the branch of where the event has been triggered.
          default_branch: The PipelineRun definition will be fetched from the default
          branch of the repository as configured on the git platform. For example
          main, master, or trunk.

      Example:

      This configuration specifies a repository named my-repo with a URL of
      my-org/my-repo. It also sets the pipelinerun_provenance
      setting to default_branch, which means that the PipelineRun definition will be
      fetched from the default branch of the repository.

      apiVersion: "pipelinesascode.tekton.dev/v1alpha1"
      kind: Repository
      metadata:
        name: my-repo
      spec:
        url: "https://github.com/owner/repo"
        settings:
          pipelinerun_provenance: "default_branch"

      SRVKP: issues.redhat.com/browse/SRVKP-2896

      Letting the user specify the provenance of the PipelineRun definition to default
      branch is another layer of security. It ensures that only the one who has the
      right to merge commit to the default branch can change the PipelineRun and have
      access to the infrastrucutre.

      Show
      Pipelines as Code let you know define the provenance source of the pipelineruns from the default branch. By default on a Push or a Pull Request, Pipelines as Code will fetch the PipelineRun definition from the branch of where the event has been triggered. This behavior can be changed by setting the setting pipelinerun_provenance. The setting currently accept two values:     source: The default behavior, the PipelineRun definition will be fetched     from the branch of where the event has been triggered.     default_branch: The PipelineRun definition will be fetched from the default     branch of the repository as configured on the git platform. For example     main, master, or trunk. Example: This configuration specifies a repository named my-repo with a URL of my-org/my-repo. It also sets the pipelinerun_provenance setting to default_branch, which means that the PipelineRun definition will be fetched from the default branch of the repository. apiVersion: "pipelinesascode.tekton.dev/v1alpha1" kind: Repository metadata:   name: my-repo spec:   url: " https://github.com/owner/repo "   settings:     pipelinerun_provenance: "default_branch" SRVKP: issues.redhat.com/browse/ SRVKP-2896 Letting the user specify the provenance of the PipelineRun definition to default branch is another layer of security. It ensures that only the one who has the right to merge commit to the default branch can change the PipelineRun and have access to the infrastrucutre.
    • Feature

      1. Proposed title of this feature request
      Pipelines As Code, Pull Request Pipeline Run Generation Source, PR vs DefaultBranch

      2. What is the nature and description of the request?
      At the present time when a pipeline is run during a PR, the .tekton folder is pulled from the Contents of the PR.

      The customer would like some method, for pipelines generated in a given repo to be generated from the HEAD of the default branch instead of the Pull Request.

      Additionally, but not as important, like the /test flag, a /test-pr flag, when this mode is enabled that people explicitly called out in the owner's file with some method, (approvers, reviewers, pr-testers, etc), can run to test the contents of the PR instead of the DefaultBranch.

      This is to prevent accidental or intentional privilege escalation by injecting content into the PR that gets run.

      This is how the customer operates regular Tekton, the Pipeline/PipelineRun Configurations on the cluster track the Head of the default branch.

      3. Why does the customer need this? (List the business requirements here)
      Impact is to reduce potetional security risks with privilege escaltion within the contents of a pipeline.

      4. List any affected packages or components.
      OpenShift Pipelines
      Pipelines As Code

              cboudjna@redhat.com Chmouel Boudjnah
              rhn-support-bsmitley Brandon Smitley
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: