diff options
author | James E. Blair <jim@acmegating.com> | 2023-01-10 15:04:49 -0800 |
---|---|---|
committer | James E. Blair <jim@acmegating.com> | 2023-01-17 09:37:24 -0800 |
commit | 3f3101216e54e8e1ae5cac658ae8910ccc5efcbd (patch) | |
tree | 2d0b08095e8f408bb3d8d9291db021ceb5488fbf /releasenotes | |
parent | 8f6a421b377e3670eecb09913222849e0ad2f2ca (diff) | |
download | zuul-3f3101216e54e8e1ae5cac658ae8910ccc5efcbd.tar.gz |
Honor independent pipeline requirements for non-live changes
Independent pipelines ignore requirements for non-live changes
because they are not actually executed. However, a user might
configure an independent pipeline that requires code review and
expect a positive code-review pipeline requirement to be enforced.
To ignore it risks executing unreviewed code via dependencies.
To correct this, we now enforce pipeline requirements in independent
pipelines in the same way as dependent ones.
This also adds a new "allow-other-connections" pipeline configuration
option which permits users to specify exhaustive pipeline requirements.
Change-Id: I6c006f9e63a888f83494e575455395bd534b955f
Story: 2010515
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/non-live-pipeline-requirements-aa173bd86b332e63.yaml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/releasenotes/notes/non-live-pipeline-requirements-aa173bd86b332e63.yaml b/releasenotes/notes/non-live-pipeline-requirements-aa173bd86b332e63.yaml new file mode 100644 index 000000000..052d5b255 --- /dev/null +++ b/releasenotes/notes/non-live-pipeline-requirements-aa173bd86b332e63.yaml @@ -0,0 +1,29 @@ +--- +features: + - | + A new pipeline attribute, + :attr:`pipeline.allow-other-connections`, has been added + to ensure that only changes from connections which + are mentioned in the pipeline configuration (such as triggers, + reporters, or pipeline requirements) are enqueued. +security: + - | + Non-live items are now subject to pipeline requirements for + independent pipelines. + + Previously, an optimization for independent pipelines skipped + checking that a change met the pipeline requirements. If an + independent pipeline is intended only to run reviewed code, this + could allow running unreviewed code by updating dependent changes. + + Now both non-live and live items are subject to pipeline + requirements in all pipeline managers. + + - | + The new `allow-other-connections` pipeline configuration option + may now be used to ensure that only changes from connections which + are mentioned in the pipeline configuration (such as triggers, + reporters, or pipeline requirements) are enqueued. This allows + the construction of a pipeline where, for example, code review + requirements are strictly enforced, even for dependencies which + are not normally directly enqueued. |