Hosting request for multibranch-pipeline-initial-trigger plugin

[joutvhu]

Repository URL

https://github.com/joutvhu/multibranch-pipeline-initial-trigger

New Repository Name

multibranch-pipeline-initial-trigger-plugin

Description

This plugin help to trigger the Multi-Branch Pipeline Job after it is created.

GitHub users to have commit permission

@joutvhu

Jenkins project users to have release permission

joutvhu

Issue tracker

GitHub issues

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⚠️ Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.19.14)

[jenkins-cert-app]

The Jenkins Security Scan discovered 3 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

PipelineTriggerProperty.java#106

Potential CSRF vulnerability: If DescriptorImpl#doAutoCompleteActionJobsToTriggerOnRunDelete connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

PipelineTriggerProperty.java#96

Potential CSRF vulnerability: If DescriptorImpl#doAutoCompleteDeleteActionJobsToTrigger connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

PipelineTriggerProperty.java#86

Potential CSRF vulnerability: If DescriptorImpl#doAutoCompleteCreateActionJobsToTrigger connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

[NotMyFault]

Please recreate your repository using the Jenkins archetype for the maven plugin as base layout: https://www.jenkins.io/doc/developer/tutorial/create/
Choosing "4" and modifying the example java classes.

[joutvhu]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[joutvhu]

@NotMyFault I have changed the project layout to maven layout

[joutvhu]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.277.4</jenkins.version> to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.
• ⛔ Required: The parent pom version '4.32' should be at least '4.71' or higher.
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[joutvhu]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @joutvhu (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[NotMyFault]

What would be a practical use case of this plugin?

[joutvhu]

@NotMyFault I use it to load the Jenkinsfile. See the below example:

pipeline {
    agent any
    parameters {
        choice choices: ['dev', 'uat'], name: 'DEPLOY_TO'
    }
    stages {
        stage('Deploy to Nexus and Push Tag') {
            when {
                // Apply for branchs
                environment name: 'TAG_NAME', value: null
            }
            steps {
                 ...
            }
        }
        stage('Deploy to Server') {
            when {
                 // Apply for tags
                 not {
                    environment name: 'TAG_NAME', value: null
                 }
            }
            steps {
                  // Use params.DEPLOY TO to select the server
            }
       }
    }
}

When a tag is created it will not have the Build with Parameters button for the first build.
This plugin will be used to trigger the tag as soon as it is created to load the Jenkinsfile.
Once triggered by the plugin, the Build with Parameters button will be available to the user.

[NotMyFault]

When a tag is created it will not have the Build with Parameters button for the first build.

That sounds more like a bug in the pipeline plugin because building with parameters is available for first builds in other job types.

I'd recommend filing an issue on Jira with a clear description and steps to replicate. Given you have already investigated into it, don't hesitate to raise a PR. That would be much appreciated.

[joutvhu]

@NotMyFault
I think that is not an issue.
The parameters are declared in the Jenkinsfile. So if the job has not been run yet, it will not know that there are parameters.
It must be running for the Jenkinsfile to be cloned from git.
Just like I change the Jenkinsfile on git, the changes (ex: change parameters) will not be applied until it is run.

[joutvhu]

I have made changes based on your feedback.

[timja]

The parameters are declared in the Jenkinsfile. So if the job has not been run yet, it will not know that there are parameters.

there's an issue somewhere I think, I believe I remember @jglick saying that this could be fixed for declarative but probably not for scripted.

[jglick]

One solution that was considered in the past would work only for Declarative (tracked as JENKINS-41929), but would not be straightforward as you would need to fetch Jenkinsfile from SCM when creating a branch project and parse Groovy. A somewhat simpler alternative would be to load job properties from a separate YAML file in the repository, using syntax similar to configuration-as-code.

A much simpler change which should work transparently for at least the common case of the first build of a “pull request” (or similar concept depending on SCM) would be for workflow-multibranch to copy job properties from the base branch when creating a new branch project. See jenkinsci/parallel-test-executor-plugin#226 an example of using ChangeRequestSCMHead.getTarget for a similar purpose. This would not handle the tag use case however.

Another option would just be to allow users to configure job properties including parameters on the repository folder rather than in SCM. (Would not work for children of an organization folder.)

multibranch-pipeline-initial-trigger is clearly a workaround for what should be fixed properly in multibranch Pipeline. I am not exactly clear on why it needs to exist, though; the default behavior of multibranch is already to trigger an initial build when a new branch project is created.

[joutvhu]

@jglick The initial build will not be triggered when the tag is created.

[jglick]

Not sure why not; fix that instead.