Disallow manual triggers of populate_dep_cache#11829
Conversation
|
🎯 Code Coverage (details) 🔗 Commit SHA: 714e60b | Docs | Datadog PR Page | Give us feedback! |
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
populate_dep_cache
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 714e60b7ff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - if: '$POPULATE_CACHE' | ||
| when: on_success |
There was a problem hiding this comment.
Restrict cache-populating pipelines to trusted refs
With the manual fallback removed, this remaining rule still allows any manually-created pipeline that supplies a non-empty POPULATE_CACHE variable to run the cache-pushing matrix; GitLab documents that bare variable rules match when the variable is defined/non-empty and that manual pipelines can include CI/CD variables (https://docs.gitlab.com/ci/jobs/job_rules/#ci/cd-variable-expressions, https://docs.gitlab.com/ci/pipelines/#run-a-pipeline-manually). In that scenario an untrusted branch can still push the shared dependency-* caches (DEPENDENCY_CACHE_POLICY: push with unprotect: true), so the intended protection against corrupted PR caches is bypassed unless this rule is also constrained to a trusted source/ref such as the scheduled/default-branch path.
Useful? React with 👍 / 👎.
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
What Does This Do
Remove manual trigger from
populate_dep_cachejob.populate_dep_cachecan still be triggered from GitLab: https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-java/-/pipeline_schedulesMotivation
If a corrupted PR runs the
populate_dep_cachejob, all dep caches including for protected refs such asmasterand release tags will read in the corrupted cache. This could lead to security compromises, so disallow manual triggers of thepopulate_dep_cachejob. The cache is otherwise populated frommastereither daily or when the GitLab workflow is manually triggered.Additional Notes
Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issue/merge. You can also:/merge --commit-message "..."/merge -c/merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)Jira ticket: [PROJ-IDENT]