I’m using organization folder to automatically build Jenkinsfile whenever commits are pushed to git.
I want to restrict permissions of builds triggered by git push, so that it could only start certain types of jobs, such as
- Building and pushing docker images
- deploying new version of app to development environment on AWS
As far as I know no plugins can do this. Are there alternatives I’m not aware of? I don’t want to create multiple Jenkins instances just for isolating users.
authorize-project is the closest to what I want. It has the ability to configure build user for projects, and you could set permissions for that user with other plugins, such as role-strategy. However, there are multiple obstacles for doing that:
- authorize-project plugin doesn’t support multi branch project / organization folder. (Organization folder creates a collection of multi-branch projects as a folder) [JENKINS-50559] Authorization Folder property for Multibranch jobs - Jenkins Jira
- per-project settings of authorize-project cannot be enabled with JCasC. [JENKINS-56774] Add JCasC support by darxriggs · Pull Request #44 · jenkinsci/authorize-project-plugin · GitHub
- jobs in organization folder ignores global configuration of git plugin. It creates new user automatically, using part of comitter’s email as user name. (e.g. If the commiter’s email is
email@example.com, a user named
janewill get created).
- Even if I could configure organization folder to find and use existing user by committer’s email, there is no way to guarantee that the user is real. One could easily impersonate just by using someone else’s email address in git. I’d rather want to build as one specific user instead of relying on committer’s email or username.