You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 5, 2024. It is now read-only.
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/how-to-guides/proc_upgrade_build_pipeline.adoc
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,10 +60,14 @@ Run the tests on these pull requests by creating a comment containing `/ok-to-te
60
60
====
61
61
62
62
.Security
63
-
To reinforce the security of your custom build pipeline, you can follow these 3 steps:
63
+
To reinforce the security of your custom build pipeline, complete the following steps:
64
64
65
-
* Add an `OWNERS` file to the `.tekton` directory and list trusted contributors there. To learn more, see Kubernetes docs about link:https://www.kubernetes.dev/docs/guide/owners/[OWNERS files].
66
-
* Don't comment `/ok-to-test` on pull requests from untrusted authors, review such PRs carefully first. The `/ok-to-test` comment runs the PipelineRun, and malicious code in a PR can change your build and compromise the security of your application. To learn more about running the PipelineRun, see the link:https://pipelinesascode.com/docs/guide/running/#running-the-pipelinerun[Running the PipelineRun guide] from Pipelines as Code docs.
65
+
* Add an `OWNERS` file to the `.tekton` directory and list trusted contributors there.
66
+
** To learn more, see Kubernetes docs about link:https://www.kubernetes.dev/docs/guide/owners/[OWNERS files].
67
+
* Avoid commenting `/ok-to-test` on pull requests from untrusted authors, review such PRs carefully first. The `/ok-to-test` comment runs the PipelineRun, and malicious code in a PR can change your build and compromise the security of your application.
68
+
** To learn more about running the PipelineRun, see the link:https://pipelinesascode.com/docs/guide/running/#running-the-pipelinerun[Running the PipelineRun guide] from Pipelines as Code docs.
67
69
* Specify the PipelineRun definition source by setting the `pipelinerun_provenance` setting to `default_branch`. This way Pipelines as Code uses the PipelineRun definition from the default branch of the repository, and only contributors with default branch merge rights have access to PipelineRun.
68
70
+
69
-
If you don’t set `pipelinerun_provenance`, you allow the default behaviour: the PipelineRun definition is fetched from a branch where the PipelineRun event is triggered. This way bad actors can change the PipelineRun definition and get access to your code. To learn more about setting the PipelineRun definition source, see link:https://pipelinesascode.com/docs/guide/repositorycrd/#pipelinerun-definition-provenance[PipelineRun definition provenance].
71
+
If you don’t set `pipelinerun_provenance`, you allow the default behaviour: the PipelineRun definition is fetched from a branch where the PipelineRun event is triggered. This way bad actors can change the PipelineRun definition and get access to your code.
72
+
73
+
** To learn more about setting the PipelineRun definition source, see link:https://pipelinesascode.com/docs/guide/repositorycrd/#pipelinerun-definition-provenance[PipelineRun definition provenance].
0 commit comments