I have a GitHub repo setup with a Jenkinsfile. The GitHub Organization Folder Plugin will execute the pipeline from the supplied Jenkinsfile.
The final step of the pipeline is the deploy step. The deploy step checks if the branch has AWS credentials using the CloudBees Amazon Web Services Credentials Plugin. If it detects credentials it will deploy otherwise it won't.
All members have read only access to the GitHub repository, whenever they want to change something they have to create a pull request.(Only admins can merge) If there is a new pull request the Jenkins server will run the pipeline until the deploy step, to check if the pull request can be integrated to the master branch. The finalstep of the pipeline is the deploy step, this shouldn't be executed for pull requests.
stage('Deploy') {
// Deploy with the right credentials
try {
withCredentials([[
$class: 'AmazonWebServicesCredentialsBinding',
accessKeyVariable: 'AWS_ACCESS_KEY_ID',
credentialsId: env.BRANCH_NAME + '_AWS_Credentials',
secretKeyVariable: 'AWS_SECRET_ACCESS_KEY'
]]) {
echo("Deploying to " + env.BRANCH_NAME + "...")
...
}
} catch(all) {
echo("Not deploying for branch: " + env.BRANCH_NAME)
}
}
The problem is that team members can create a pull request with a changed Jenkinsfile.
So let's say one of the team members get's hacked. They can now infect the production environment by creating a pull request with a changed Jenkinsfile which does the following:
credentialsId: 'master_AWS_Credentials',
How do I prevent Jenkins from running the pipeline for a changed Jenkinsfile? Or how do I make pull request use the Jenkinsfile from the master branch instead?
