Make Conservator-CLI Public

Question

Make Conservator-CLI Public

n-wach opened this issue 4 years ago · 8 comments

Answer 1 · 2020-12-22T01:43:23.000Z

GitHub Actions supports the use of "Secrets", which are basically environment variables only exposed when the Action is triggered in certain contexts: when a PR is created by an approved collaborator, and not from a fork.

Jenkins doesn't appear to expose this information easily, so it would be hard to verify that a PR is safe to run.

Unless we can somehow filter PRs (and prevent someone from just modifying the filter in a PR), all PRs submitted to the repo must be trusted.

We would need to:

disable forking (as any fork can submit a PR)
require all PRs be made by authorized collaborators (or org members)

Answer 2 · 2020-12-23T23:01:17.000Z

Submitted a ticket to GH support asking some questions about this

Answer 3 · 2020-12-24T06:18:04.000Z

Abridged response:

Unfortunately, this is not possible. Once a repository is public, anyone can fork the repository and open pull requests to it. You can disable pull requests but this means that collaborators won't themselves be able to propose changes using pull requests.

That said, you might be able to use GitHub Actions(or GitHub Apps) to write a custom workflow that approximates what you want. In that case, while you can't prevent non-collaborators from opening pull requests, you can close them immediately and only trigger the build if the change comes from a collaborator.

Github Actions is not an option for us (requires upgrading FLIR's subscription).

There may be some Jenkins plugins available for restricting builds to certain users--looks like our only option if we want to make this (or any repo with Jenkins) public.

Answer 4 · 2020-12-24T21:03:18.000Z

This plugin looks promising: https://github.com/jenkinsci/ghprb-plugin

Answer 5 · 2020-12-24T21:26:04.000Z

Plugin is deprecated, points to this one: https://plugins.jenkins.io/github-branch-source/

Answer 6 · 2021-01-05T22:53:42.000Z

That plugin is already installed--configured to not run on forks

We can make this repo public as soon as we've confirmed no secrets exist.

Answer 7 · 2021-01-05T23:24:32.000Z

I performed a regex search for API Keys using a command based on this: https://stackoverflow.com/a/4468394

Couldn't find any valid conservator API keys.

@rlc2 has also taken a look

Seems ready to make public--waiting on approval from @Andrespm

Answer 8 · 2021-02-03T01:25:16.000Z

Reminder to remove the private repo warning in the install guide