commit | d2596f3574703f67ff799dee201ec6a749de64ca | [log] [tgz] |
---|---|---|
author | Luca Milanesio <luca.milanesio@gmail.com> | Tue Mar 26 22:17:21 2024 +0000 |
committer | Luca Milanesio <luca.milanesio@gmail.com> | Thu Mar 28 18:36:23 2024 +0000 |
tree | 42015e38b6d008f9547eff0acb2122bcb6a54042 | |
parent | 021d2cb8b39cf334c3a796b187998e0d83a53ce1 [diff] |
Use volatile user/password for JJB configuration Do not rely on any stored credentials for configuring the jobs through the Jenkins Jobs Builder utility. Storing the credentials of a user with permissions to change the Jenkins jobs definition is risky and should be avoided at all costs. Jobs are not changed continunously and any modification needs to be reviewed and merged by a Gerrit user with the maintainership of the gerrit-ci-scripts. There isn't a big value in storing the API token of a priviledged user, therefore accept the small pain of triggering the build manually rather than risking a much bigger vulnerability exposure. Change-Id: Ie474043a513ee1faceeefb91198f82dbe1ac1507
This project uses Jenkins Jobs Builder [1] to generate jobs from yaml descriptor files.
To add new jobs reuse existing templates, defaults etc. as much as possible. E.g. adding a job to build an additional branch of a project may be as easy as adding the name of the branch to an existing project.
To ensure well readable yaml-files, use yamllint [2] to lint the yaml-files. Yamllint can be downloaded using Python Pip:
pip3 install --require-hashes yamllint
To run the linter, execute this command from the project's root directory:
yamllint -c yamllint-config.yaml jenkins/**/*.yaml
Yamllint will not fix detected issues itself.
[1] https://docs.openstack.org/infra/jenkins-job-builder/index.html [2] https://pypi.org/project/yamllint/