New permissions option for GitHub PR Comment Build plugin

In version 78.v2dcf62ba199b GitHub Pull Request Comment Build Plugin introduced permissions check for users triggering jobs with comments. This added a new checkbox/XML element that allows untrusted users to trigger builds. (see https://github.com/jenkinsci/github-pr-comment-build-plugin/pull/46) This commit adds support for this option by allowing dictionary syntax for GH PR Comment Build plugin: ``` - trigger-build-on-pr-review: allow-untrusted-users: true ``` while preserving support for currently existing syntax: ``` - trigger-build-on-pr-review: true ``` Change-Id: I554129c779161b47cba4566f7821ef7590a242e0
2023-02-15 13:32:40 +01:00 · 2023-02-15 13:32:40 +01:00 · aa9897dff3
parent a4052b1388
commit aa9897dff3
5 changed files with 121 additions and 8 deletions
--- a/jenkins_jobs/modules/project_multibranch.py
+++ b/jenkins_jobs/modules/project_multibranch.py
@ -1736,14 +1736,26 @@ def apply_property_strategies(props_elem, props_list):
                "".join([pr_comment_build, ".TriggerPRCommentBranchProperty"]),
                {"plugin": "github-pr-comment-build"},
            )
-            XML.SubElement(tbopc_elem, "commentBody").text = tbopc_val
+            if isinstance(tbopc_val, dict):
+                XML.SubElement(tbopc_elem, "commentBody").text = tbopc_val.get(
+                    "comment"
+                )
+                if tbopc_val.get("allow-untrusted-users", False):
+                    XML.SubElement(tbopc_elem, "allowUntrusted").text = "true"
+            else:
+                XML.SubElement(tbopc_elem, "commentBody").text = tbopc_val
        for opt in pcb_bool_opts:
-            if dbs_list.get(opt, False):
-                XML.SubElement(
+            opt_value = dbs_list.get(opt, None)
+            if opt_value:
+                opt_elem = XML.SubElement(
                    props_elem,
                    "".join([pr_comment_build, pcb_bool_opts.get(opt)]),
                    {"plugin": "github-pr-comment-build"},
                )
+                if isinstance(opt_value, dict) and opt_value.get(
+                    "allow-untrusted-users", False
+                ):
+                    XML.SubElement(opt_elem, "allowUntrusted").text = "true"


 def add_filter_branch_pr_behaviors(traits, data):
--- a/tests/multibranch/fixtures/scm_github_comment_plugin_booleans.xml
+++ b/tests/multibranch/fixtures/scm_github_comment_plugin_booleans.xml
@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="utf-8"?>
+<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin="workflow-multibranch">
+  <properties/>
+  <views>
+    <hudson.model.AllView>
+      <name>All</name>
+      <filterExecutors>false</filterExecutors>
+      <filterQueue>false</filterQueue>
+      <properties class="hudson.model.View$PropertyList"/>
+      <owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../../.."/>
+    </hudson.model.AllView>
+  </views>
+  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+  <folderViews class="jenkins.branch.MultiBranchProjectViewHolder" plugin="branch-api">
+    <owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
+  </folderViews>
+  <healthMetrics>
+    <com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric plugin="cloudbees-folder">
+      <nonRecursive>false</nonRecursive>
+    </com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
+  </healthMetrics>
+  <icon class="jenkins.branch.MetadataActionFolderIcon" plugin="branch-api">
+    <owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
+  </icon>
+  <orphanedItemStrategy class="com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy" plugin="cloudbees-folder">
+    <pruneDeadBranches>true</pruneDeadBranches>
+    <daysToKeep>-1</daysToKeep>
+    <numToKeep>-1</numToKeep>
+    <abortBuilds>false</abortBuilds>
+  </orphanedItemStrategy>
+  <triggers/>
+  <sources class="jenkins.branch.MultiBranchProject$BranchSourceList" plugin="branch-api">
+    <data>
+      <jenkins.branch.BranchSource>
+        <source class="org.jenkinsci.plugins.github_branch_source.GitHubSCMSource" plugin="github-branch-source">
+          <id>gh-johndoe-foo</id>
+          <repoOwner>johndoe</repoOwner>
+          <repository>foo</repository>
+          <traits>
+            <org.jenkinsci.plugins.github__branch__source.BranchDiscoveryTrait>
+              <strategyId>1</strategyId>
+            </org.jenkinsci.plugins.github__branch__source.BranchDiscoveryTrait>
+            <org.jenkinsci.plugins.github__branch__source.ForkPullRequestDiscoveryTrait>
+              <strategyId>1</strategyId>
+              <trust class="org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustContributors"/>
+            </org.jenkinsci.plugins.github__branch__source.ForkPullRequestDiscoveryTrait>
+            <org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait>
+              <strategyId>1</strategyId>
+            </org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait>
+            <jenkins.plugins.git.traits.WipeWorkspaceTrait>
+              <extension class="hudson.plugins.git.extensions.impl.WipeWorkspace"/>
+            </jenkins.plugins.git.traits.WipeWorkspaceTrait>
+          </traits>
+        </source>
+        <strategy class="jenkins.branch.DefaultBranchPropertyStrategy">
+          <properties class="java.util.Arrays$ArrayList">
+            <a class="jenkins.branch.BranchProperty-array">
+              <jenkins.branch.NoTriggerBranchProperty/>
+              <org.jenkinsci.plugins.workflow.multibranch.DurabilityHintBranchProperty plugin="workflow-multibranch">
+                <hint>MAX_SURVIVABILITY</hint>
+              </org.jenkinsci.plugins.workflow.multibranch.DurabilityHintBranchProperty>
+              <com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty plugin="github-pr-comment-build">
+                <commentBody>Ci build!</commentBody>
+              </com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty>
+              <com.adobe.jenkins.github__pr__comment__build.TriggerPRReviewBranchProperty plugin="github-pr-comment-build"/>
+              <com.adobe.jenkins.github__pr__comment__build.TriggerPRUpdateBranchProperty plugin="github-pr-comment-build"/>
+            </a>
+          </properties>
+        </strategy>
+      </jenkins.branch.BranchSource>
+    </data>
+    <owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
+  </sources>
+  <factory class="org.jenkinsci.plugins.workflow.multibranch.WorkflowBranchProjectFactory">
+    <owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
+    <scriptPath>Jenkinsfile</scriptPath>
+  </factory>
+</org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject>
--- a/tests/multibranch/fixtures/scm_github_comment_plugin_booleans.yaml
+++ b/tests/multibranch/fixtures/scm_github_comment_plugin_booleans.yaml
@ -0,0 +1,14 @@
+name: 'demo-multibranch-github-min'
+project-type: multibranch
+scm:
+    - github:
+        repo: 'foo'
+        repo-owner: 'johndoe'
+
+        property-strategies:
+            all-branches:
+                - suppress-scm-triggering: true
+                - pipeline-branch-durability-override: max-survivability
+                - trigger-build-on-pr-comment: "Ci build!"
+                - trigger-build-on-pr-review: true
+                - trigger-build-on-pr-update: true
--- a/tests/multibranch/fixtures/scm_github_full.xml
+++ b/tests/multibranch/fixtures/scm_github_full.xml
@ -173,9 +173,14 @@
              </org.jenkinsci.plugins.workflow.multibranch.DurabilityHintBranchProperty>
              <com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty plugin="github-pr-comment-build">
                <commentBody>Ci build!</commentBody>
+                <allowUntrusted>true</allowUntrusted>
              </com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty>
-              <com.adobe.jenkins.github__pr__comment__build.TriggerPRReviewBranchProperty plugin="github-pr-comment-build"/>
-              <com.adobe.jenkins.github__pr__comment__build.TriggerPRUpdateBranchProperty plugin="github-pr-comment-build"/>
+              <com.adobe.jenkins.github__pr__comment__build.TriggerPRReviewBranchProperty plugin="github-pr-comment-build">
+                <allowUntrusted>true</allowUntrusted>
+              </com.adobe.jenkins.github__pr__comment__build.TriggerPRReviewBranchProperty>
+              <com.adobe.jenkins.github__pr__comment__build.TriggerPRUpdateBranchProperty plugin="github-pr-comment-build">
+                <allowUntrusted>true</allowUntrusted>
+              </com.adobe.jenkins.github__pr__comment__build.TriggerPRUpdateBranchProperty>
            </a>
          </properties>
        </strategy>
--- a/tests/multibranch/fixtures/scm_github_full.yaml
+++ b/tests/multibranch/fixtures/scm_github_full.yaml
@ -47,9 +47,13 @@ scm:
            all-branches:
                - suppress-scm-triggering: true
                - pipeline-branch-durability-override: max-survivability
-                - trigger-build-on-pr-comment: "Ci build!"
-                - trigger-build-on-pr-review: true
-                - trigger-build-on-pr-update: true
+                - trigger-build-on-pr-comment:
+                    comment: "Ci build!"
+                    allow-untrusted-users: true
+                - trigger-build-on-pr-review:
+                    allow-untrusted-users: true
+                - trigger-build-on-pr-update:
+                    allow-untrusted-users: true
        build-strategies:
            - all-strategies-match:
                strategies: