Added monitor for release jenkins agents #262
Conversation
| jenkins-token: ${{ secrets.JENKINS_RELEASE_TOKEN }} | ||
| # Issues | ||
| generate-issue: true | ||
| issue-assignees: 'UlisesGascon' |
There was a problem hiding this comment.
@richardlau not sure if makes sense to assign the issues to me, as I can't access to that Jenkins.
There was a problem hiding this comment.
I'm hoping that won't be the case for long 🙂.
There was a problem hiding this comment.
What level of access does the token give to the release jenkins instance? Just want to understand what the potential security impact might be.
There was a problem hiding this comment.
@mhdawson AFAIK we currently do not have a token with access to the release Jenkins instance.
There was a problem hiding this comment.
@richardlau right, but I think this would require one. I'm trying to understand what the risk of having a token with access to the release Jenkins in a public GitHub repo is.
There was a problem hiding this comment.
I think that we can limit the surface if we use read-only tokens. Not sure how much granularity (limit to compute) Jenkins offers currently for this.
There was a problem hiding this comment.
Depending on how we can limit the tokens we might also want to have the actions run in a private repo?
Co-authored-by: Richard Lau <[email protected]>
Main Changes
As discussed in nodejs/build#3414, this add a new pipeline and files to manage alerts from the release machines, following the same settings as per the test machines.
Important
In order to make this new pipeline work we will need to include two secrets in the CI:
JENKINS_RELEASE_USERNAMEJENKINS_RELEASE_TOKENHow to generate the token
Contest
close nodejs/build#3414
Changelog