9021fdf8bb
To handle the case where an untrusted project defines a job with a secret which another project would like to run, allow a config project to attach that job to a project-pipeline and have it run regardless of the allowed-projects setting. Normally, untrusted jobs with secrets have an implicit and non-overridable allowed-projects setting of only that project, to avoid a situation where another project with a trusted post-review pipeline gains access to the secret by using a Depends-On to a change which lifts the allowed-projects restriction. This change allows a config project to bypass this, in effect saying that the projects involved trust each other sufficiently (or else, do not have access to a post-review pipeline which could be used to obtain secrets). Change-Id: I52ab193d0e39a37de64c8b3cb6953538e4073b43 |
||
|---|---|---|
| .. | ||
| git | ||
| main.yaml | ||