Merge "Strengthen the caution about allowed-projects"
This commit is contained in:
commit
c0e0dff004
|
@ -1131,7 +1131,8 @@ Here is an example of two job definitions:
|
||||||
:term:`untrusted-project`, `allowed-projects` is automatically
|
:term:`untrusted-project`, `allowed-projects` is automatically
|
||||||
set to the current project only, and can not be overridden.
|
set to the current project only, and can not be overridden.
|
||||||
However, a :term:`config-project` may still add such a job to
|
However, a :term:`config-project` may still add such a job to
|
||||||
any project's pipeline.
|
any project's pipeline. Apply caution when doing so as other
|
||||||
|
projects may be able to expose the source project's secrets.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
|
@ -1531,7 +1532,8 @@ projects which can invoke that job. If a job with secrets is defined
|
||||||
in an `untrusted-project`, `allowed-projects` is automatically set to
|
in an `untrusted-project`, `allowed-projects` is automatically set to
|
||||||
that project only, and can not be overridden (though a
|
that project only, and can not be overridden (though a
|
||||||
:term:`config-project` may still add the job to any project's pipeline
|
:term:`config-project` may still add the job to any project's pipeline
|
||||||
regardless of this setting).
|
regardless of this setting; do so with caution as other projects may
|
||||||
|
expose the source project's secrets).
|
||||||
|
|
||||||
Secrets, like most configuration items, are unique within a tenant,
|
Secrets, like most configuration items, are unique within a tenant,
|
||||||
though a secret may be defined on multiple branches of the same
|
though a secret may be defined on multiple branches of the same
|
||||||
|
|
Loading…
Reference in New Issue