Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limiting incoming webhook pipeline runs #1845

Open
morgajel opened this issue Dec 2, 2024 · 1 comment
Open

Limiting incoming webhook pipeline runs #1845

morgajel opened this issue Dec 2, 2024 · 1 comment

Comments

@morgajel
Copy link

morgajel commented Dec 2, 2024
edited
Loading

Hi folks, I have a simple wishlist item for you- it'd be great if we could limit which pipelinerun files an incoming repository webhook-url could trigger. We currently have a repository that services multiple teams using different pipelines and pipelineruns, and it'd be nice to lock down those incoming webhooks a bit more; from the repository side, implementation could look like this:

apiVersion: pipelinesascode.tekton.dev/v1alpha1
kind: Repository
metadata:
  name: my-repo
spec:
  incoming:
    - pipelineruns:
        - basic-pr
        - team-a-specific-pr
      secret:
        key: secret
        name: team-a-incoming-secret
      targets:
        - main
      type: webhook-url
    - pipelineruns:
        - basic-pr
        - team-b-specific-pr
      secret:
        key: secret
        name: team-b-incoming-secret
      targets:
        - main
      type: webhook-url
  url: 'https://github.com/owner/my-repo'

This would allow greater access control for which secrets could run which pipelineruns; e.g.

# Team A running basic-pr
curl -X POST 'https://pipeline-controller.example.com/incoming?secret=team-a-secret&repository=my-repo&branch=main&pipelinerun=basic-pr'
# Team B running basic-pr
curl -X POST 'https://pipeline-controller.example.com/incoming?secret=team-b-secret&repository=my-repo&branch=main&pipelinerun=basic-pr'
# Team A running team-a-specific-pr
curl -X POST 'https://pipeline-controller.example.com/incoming?secret=team-a-secret&repository=my-repo&branch=main&pipelinerun=team-a-specific-pr'
# Team B running team-b-specific-pr
curl -X POST 'https://pipeline-controller.example.com/incoming?secret=team-b-secret&repository=my-repo&branch=main&pipelinerun=team-b-specific-pr'

# Team A FAILING to run team-b-specific-pr
curl -X POST 'https://pipeline-controller.example.com/incoming?secret=team-a-secret&repository=my-repo&branch=main&pipelinerun=team-b-specific-pr'

Are there any thoughts/concerns/considerations with this?
@chmouel
Copy link
Member

chmouel commented Dec 3, 2024

I haven't reviewed deeply your proposed intention but that's a pretty good idea!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chmouel @morgajel