Security¶
CI is about executing code. Here are some note on what checks are implemented in EPO to increase security.
EPO considers only collaborators with write access.
You can override collaborators in
jenkins.yml
of default branch: .. code-block:: yaml- settings:
- collaborators:
- owner
- admin
- dev0
- dev1
EPO builds only PR from collaborators.
EPO reads instructions from collaborators only.
You can allow an external PR to be tested. Say
jenkins: allow
in a comment. Author instructions before ``allow`` wont be processed. PR author will be considered as a collaborator with write access for this PR. This include automatic merge.Webhook are used only to determine the URL of the head: either
https://github.com/owner/repo/tree/branch
orhttps://github.com/owner/repo/pull/1234
. Comments are not parsed from webhook.GitHub webhook payload must be signed with Hub secret token.
For now, GitHub is accessed using a token. But Jenkins must be open.