Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -388,8 +388,6 @@ populate_dep_cache:
rules:
- if: '$POPULATE_CACHE'
when: on_success
Comment on lines 389 to 390

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict cache-populating pipelines to trusted refs

With the manual fallback removed, this remaining rule still allows any manually-created pipeline that supplies a non-empty POPULATE_CACHE variable to run the cache-pushing matrix; GitLab documents that bare variable rules match when the variable is defined/non-empty and that manual pipelines can include CI/CD variables (https://docs.gitlab.com/ci/jobs/job_rules/#ci/cd-variable-expressions, https://docs.gitlab.com/ci/pipelines/#run-a-pipeline-manually). In that scenario an untrusted branch can still push the shared dependency-* caches (DEPENDENCY_CACHE_POLICY: push with unprotect: true), so the intended protection against corrupted PR caches is bypassed unless this rule is also constrained to a trusted source/ref such as the scheduled/default-branch path.

Useful? React with 👍 / 👎.

- when: manual
allow_failure: true
parallel:
matrix:
- GRADLE_TARGET: ":dd-java-agent:shadowJar :dd-trace-api:jar :dd-trace-ot:shadowJar"
Expand Down