Why Jenkinsfile changes Are Not Reflected in PR Build

Issue

  • When a user modify the Jenkinsfile and opens a PR, the build does not take the changes into account

  • Console logs shows one of the following depending on the GitHub Branch Source plugin version:

    // GitHub Branch Source: 1.4-1.7
    Loading trusted files from target branch at $REVISION_BASE rather than $REVISION_HEAD
    // GitHub Branch Source: 1.8+:
    Loading trusted files from base branch $BRANCH_NAME at $REVISION_BASE rather than $REVISION_HEAD
    
  • Branch Indexing shows

    [...]
    Checking pull request #PR-1
      ‘Jenkinsfile’ exists in this pull request
    Met criteria
    (not from a trusted source)
    [...]
    

Environment

Resolution

This is due to the fact the author of the Pull Request is not trusted. In that case Jenkins falls back to the Jenkinsfile of the base branch.

Changing the Jenkinsfile is equivalent to changing the job configuration. Only users with a certain level of trust should be allowed to do it.

Jenkins handles it that way: when changes to the Jenkinsfile are committed to a PR , Jenkins asks GitHub whether the PR author has the permission to push to the origin repository, if yes he is trusted, otherwise he is not.

Therefore there are 2 ways to handle this:

  • Give push access (i.e. Write permission) to the PR author on the repository in GitHub
  • Explain to users that changing the Jenkinsfile requires a certain level of permission in GitHub

Links

Pipeline - Trusted Files
Pipeline - Jenkinsfile
GitHub User Scopes and Organization Permission
Pipeline MultiBranch Plugin

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Robert Hafner

    I've given my users Write access and made them contributors to the repository in question, but this error still shows up. It seems like it's impossible to actual test changes to the Jenkinsfile at all unless they're merged into master.

Please sign in to leave a comment.