When a user modify the
Jenkinsfileand opens a PR, the build does not take the changes into account
Console logs shows one of the following depending on the GitHub Branch Source plugin version:
// GitHub Branch Source: 1.4-1.7 Loading trusted files from target branch at $REVISION_BASE rather than $REVISION_HEAD // GitHub Branch Source: 1.8+: Loading trusted files from base branch $BRANCH_NAME at $REVISION_BASE rather than $REVISION_HEAD
Branch Indexing shows
[...] Checking pull request #PR-1 ‘Jenkinsfile’ exists in this pull request Met criteria (not from a trusted source) [...]
This is due to the fact the author of the Pull Request is not trusted. In that case Jenkins falls back to the
Jenkinsfile of the base branch.
Jenkinsfile is equivalent to changing the job configuration. Only users with a certain level of trust should be allowed to do it.
Jenkins handles it that way: when changes to the
Jenkinsfile are committed to a PR , Jenkins asks GitHub whether the PR author has the permission to push to the origin repository, if yes he is trusted, otherwise he is not.
Therefore there are 2 ways to handle this:
- Give push access (i.e. Write permission) to the PR author on the repository in GitHub
- Explain to users that changing the
Jenkinsfilerequires a certain level of permission in GitHub