Security

CI is about executing code. Here are some note on what checks are implemented in EPO to increase security.

  • EPO considers only collaborators with write access.

  • You can override collaborators in jenkins.yml of default branch: .. code-block:: yaml

    settings:
    collaborators:
    • owner
    • admin
    • dev0
    • dev1
  • EPO builds only PR from collaborators.

  • EPO reads instructions from collaborators only.

  • You can allow an external PR to be tested. Say jenkins: allow in a comment. Author instructions before ``allow`` wont be processed. PR author will be considered as a collaborator with write access for this PR. This include automatic merge.

  • Webhook are used only to determine the URL of the head: either https://github.com/owner/repo/tree/branch or https://github.com/owner/repo/pull/1234. Comments are not parsed from webhook.

  • GitHub webhook payload must be signed with Hub secret token.

  • For now, GitHub is accessed using a token. But Jenkins must be open.