Skip to content

Commit e7b3582

Browse files
chmouelchmouel
authored
Merge branch 'main' into cache-changed-files
2 parents 838d438 + 5b220d7 commit e7b3582

File tree

96 files changed

+3479
-6734
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

96 files changed

+3479
-6734
lines changed

config/302-pac-configmap.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,13 @@ data:
164164
# you may want to disable this if ok-to-test should be done on each iteration
165165
remember-ok-to-test: "false"
166166

167+
# require-ok-to-test-sha enforces that a pull request's commit SHA must be specified
168+
# in an `/ok-to-test` comment. This prevents a race condition where a malicious
169+
# user could push a bad commit after the `/ok-to-test` comment is posted but
170+
# before the CI runs.
171+
# Default: false
172+
require-ok-to-test-sha: "false"
173+
167174
# When enabled, this option prevents duplicate pipeline runs when a commit appears in
168175
# both a push event and a pull request. If a push event comes from a commit that is
169176
# part of an open pull request, the push event will be skipped as it would create

docs/content/docs/guide/authoringprs.md

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -47,25 +47,25 @@ getting tested. You usually use this with the
4747
[git-clone](https://artifacthub.io/packages/tekton-task/tekton-catalog-tasks/git-clone) task to be able to
4848
check out the code that is being tested.
4949

50-
| Variable | Description | Example | Example Output |
51-
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
52-
| body | The full payload body (see [below](#using-the-body-and-headers-in-a-pipelines-as-code-parameter)) | `{{body.pull_request.user.email }}` | <email@domain.com> |
53-
| event_type | The event type (eg: `pull_request` or `push`) | `{{event_type}}` | pull_request (see the note for GitOps Comments [here]({{< relref "/docs/guide/gitops_commands.md#event-type-annotation-and-dynamic-variables" >}}) ) |
54-
| git_auth_secret | The secret name auto-generated with provider token to check out private repos. | `{{git_auth_secret}}` | pac-gitauth-xkxkx |
55-
| headers | The request headers (see [below](#using-the-body-and-headers-in-a-pipelines-as-code-parameter)) | `{{headers['x-github-event']}}` | push |
56-
| pull_request_number | The pull or merge request number, only defined when we are in a `pull_request` event or push event occurred when pull request is merged. | `{{pull_request_number}}` | 1 |
57-
| repo_name | The repository name. | `{{repo_name}}` | pipelines-as-code |
58-
| repo_owner | The repository owner in the git provider. (For VCS providers with owner hierarchies, e.g. GitLab's orgs; namespaces; groups; and subgroups, the full ownership slug is used) | `{{repo_owner}}` | openshift-pipelines |
59-
| repo_url | The repository full URL. | `{{repo_url}}` | <https://github.com/openshift-pipelines/pipelines-as-code> |
60-
| revision | The commit full sha revision. | `{{revision}}` | 1234567890abcdef |
61-
| sender | The sender username (or account ID on some providers) of the commit. | `{{sender}}` | johndoe |
62-
| source_branch | The branch name where the event comes from. | `{{source_branch}}` | main |
63-
| git_tag | The Git tag pushed (only available for tag push events; otherwise empty `""`). | `{{git_tag}}` | v1.0 |
64-
| source_url | The source repository URL from where the event comes (same as the value `repo_url` for push events). | `{{source_url}}` | <https://github.com/openshift-pipelines/pipelines-as-code> |
65-
| target_branch | The branch name on which the event targets (same as `source_branch` for push events). | `{{target_branch}}` | main |
66-
| target_namespace | The target namespace where the Repository has matched and the PipelineRun will be created. | `{{target_namespace}}` | my-namespace |
67-
| trigger_comment | The comment triggering the PipelineRun when using a [GitOps command]({{< relref "/docs/guide/running.md#gitops-command-on-pull-or-merge-request" >}}) (like `/test`, `/retest`) | `{{trigger_comment}}` | /merge-pr branch |
68-
| pull_request_labels | The labels of the pull request separated by a newline | `{{pull_request_labels}}` | bugs\nenhancement |
50+
| Variable | Description | Example | Example Output |
51+
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
52+
| body | The full payload body (see [below](#using-the-body-and-headers-in-a-pipelines-as-code-parameter)) | `{{body.pull_request.user.email }}` | <email@domain.com> |
53+
| event_type | The event type (eg: `pull_request` or `push`) | `{{event_type}}` | pull_request (see the note for GitOps Comments [here]({{< relref "/docs/guide/gitops_commands.md#event-type-annotation-and-dynamic-variables" >}}) ) |
54+
| git_auth_secret | The secret name auto-generated with provider token to check out private repos. | `{{git_auth_secret}}` | pac-gitauth-xkxkx |
55+
| headers | The request headers (see [below](#using-the-body-and-headers-in-a-pipelines-as-code-parameter)) | `{{headers['x-github-event']}}` | push |
56+
| pull_request_number | The pull or merge request number, only defined when we are in a `pull_request` event or push event occurred when pull request is merged. | `{{pull_request_number}}` | 1 |
57+
| repo_name | The repository name. | `{{repo_name}}` | pipelines-as-code |
58+
| repo_owner | The repository owner in the git provider. (For VCS providers with owner hierarchies, e.g. GitLab's orgs; namespaces; groups; and subgroups, the full ownership slug is used) | `{{repo_owner}}` | openshift-pipelines |
59+
| repo_url | The repository full URL. | `{{repo_url}}` | <https://github.com/openshift-pipelines/pipelines-as-code> |
60+
| revision | The commit full sha revision. | `{{revision}}` | 1234567890abcdef |
61+
| sender | The sender username (or account ID on some providers) of the commit. | `{{sender}}` | johndoe |
62+
| source_branch | The branch name where the event comes from. | `{{source_branch}}` | main |
63+
| git_tag | The Git tag pushed (only available for tag push events; otherwise empty `""`). | `{{git_tag}}` | v1.0 |
64+
| source_url | The source repository URL from where the event comes (same as the value `repo_url` for push events). | `{{source_url}}` | <https://github.com/openshift-pipelines/pipelines-as-code> |
65+
| target_branch | The branch name on which the event targets (same as `source_branch` for push events). | `{{target_branch}}` | main |
66+
| target_namespace | The target namespace where the Repository has matched and the PipelineRun will be created. | `{{target_namespace}}` | my-namespace |
67+
| trigger_comment | The comment triggering the PipelineRun when using a [GitOps command]({{< relref "/docs/guide/running.md#gitops-command-on-pull-or-merge-request" >}}) (like `/test`, `/retest`) | `{{trigger_comment}}` | /merge-pr branch |
68+
| pull_request_labels | The labels of the pull request separated by a newline | `{{pull_request_labels}}` | bugs\nenhancement |
6969

7070
Note: When using the `{{ pull_request_number }}` variable in a push-triggered PipelineRun when a pull request is merged and the commit is associated with multiple pull requests
7171
the git provider API may return more than one pull request. In such cases, the `{{ pull_request_number }}` variable will contain the number of the first pull request returned by the API.

docs/content/docs/guide/gitops_commands.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,41 @@ This will always trigger a new PipelineRun, even if previous runs were successfu
3939

4040
Similar to `/retest`, the `/ok-to-test` command will only trigger new PipelineRuns if no successful PipelineRun already exists for the same commit. This prevents duplicate runs when repository owners repeatedly test the same commit by `/test` and `/retest` command.
4141

42+
### Requiring a SHA with `/ok-to-test`
43+
44+
{{< tech_preview "Requiring a SHA argument to `/ok-to-test`" >}}
45+
{{< support_matrix github_app="true" github_webhook="false" gitea="false" gitlab="false" bitbucket_cloud="false" bitbucket_datacenter="false" >}}
46+
47+
Cluster administrators can enforce SHA validation on `/ok-to-test` by setting
48+
`require-ok-to-test-sha: "true"` in the Pipelines-as-Code ConfigMap. This
49+
feature currently applies only to GitHub, as its `issue_comment` event does not
50+
include the pull request’s HEAD SHA (unlike other providers that do).
51+
52+
Without this SHA, a small timing window exists where an attacker could push a
53+
new commit immediately after an owner comments `/ok-to-test`, causing CI to run
54+
on unintended code. Requiring the reviewer to include the commit ID eliminates
55+
this risk until GitHub includes the SHA in its webhook payload.
56+
57+
When enabled, repository owners and collaborators must append a 7–40 character
58+
Git SHA (in lowercase or uppercase hexadecimal) to the command, for example:
59+
60+
```text
61+
/ok-to-test 1A2B3C4
62+
```
63+
64+
Pipelines-as-Code verifies the provided SHA against the pull request’s current HEAD:
65+
66+
- Short SHAs must match the HEAD commit’s prefix.
67+
- Full SHAs must match exactly.
68+
69+
If the SHA is missing or invalid, the comment is rejected, and the bot replies
70+
with instructions to retry using the correct value. This mechanism protects
71+
GitHub repositories from the time-of-check/time-of-use vulnerability,
72+
a risk that other providers avoid by including the commit SHA directly in the
73+
webhook payload.
74+
75+
### Targeting Specific PipelineRuns
76+
4277
If you have multiple `PipelineRun` and you want to target a specific `PipelineRun`, you can use the `/test` command followed by the specific PipelineRun name to restart it. Example:
4378

4479
```text

0 commit comments

Comments
 (0)