You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 5, 2024. It is now read-only.
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/how-to-guides/proc_upgrade_build_pipeline.adoc
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,14 +64,14 @@ To further reinforce the security of your custom build pipeline, complete the fo
64
64
65
65
* Add an `OWNERS` file to the root of your repository and list trusted contributors there.
66
66
** To learn more, see Kubernetes docs about link:https://www.kubernetes.dev/docs/guide/owners/[OWNERS files].
67
-
* Avoid commenting `/ok-to-test` on pull requests from untrusted authors, review such PRs carefully first. The `/ok-to-test` comment runs the PipelineRun, and malicious code in a PR can change your build and compromise the security of your application.
67
+
* Review all pull requests carefully. Avoid commenting `/ok-to-test` on PRs from untrusted authors. The `/ok-to-test` comment runs the PipelineRun, and malicious code in a PR can change your build and compromise the security of your application.
68
68
** To learn more about running the PipelineRun, see the link:https://pipelinesascode.com/docs/guide/running/#running-the-pipelinerun[Running the PipelineRun guide] from Pipelines as Code docs.
69
69
* Consider changing the PipelineRun definition source by setting the `pipelinerun_provenance` setting to `default_branch`. With this setting, Pipelines as Code uses the PipelineRun definition from the default branch of the repository, usually `main` or `master`, and only contributors with default branch merge rights can modify the PipelineRun.
70
70
+
71
-
If you don’t set `pipelinerun_provenance`, you allow the default behaviour: the PipelineRun definition is fetched from the branch where the PipelineRun event is triggered, and any contributor can get access to the PipelineRun definition.
71
+
If you don’t set `pipelinerun_provenance`, you allow the default behavior: the PipelineRun definition is fetched from the branch where the PipelineRun event is triggered, and link:https://pipelinesascode.com/docs/guide/running/[submitters who are allowed to run a PipelineRun] can get access to the PipelineRun definition. External submitters cannot run a PipelineRun and need a repository owner to comment `/ok-to-test` on a PR. In these cases `pipelinerun_provenance: default_branch` still applies, and the PipelineRun definition is taken from the default branch.
72
72
+
73
-
Testing changes to the PipelineRun is easier with the default behaviour because PipelineRun changes are tested when a user submits a pull request, before the merge.
73
+
Testing changes to the PipelineRun is easier with the default behavior because PipelineRun changes are tested when a user submits a pull request, before the merge.
74
74
+
75
-
Setting the `pipelinerun_provenance` setting to `default_branch` is more cautious because a PipelineRun definition is tested only after a repository owner reviews and merges it. However, if the proposed change doesn't work correctly, a repository owner might need to merge a few changes to debug the PipelineRun.
75
+
Setting the `pipelinerun_provenance` setting to `default_branch` is more cautious because PipelineRun changes are tested only after a repository owner reviews and merges them. We recommend that repository owners review all changes to PipelineRun very carefully before the merge. If the proposed change doesn't work correctly, a repository owner might need to merge a few changes to debug the PipelineRun.
76
76
77
77
** To learn more about setting the PipelineRun definition source, see link:https://pipelinesascode.com/docs/guide/repositorycrd/#pipelinerun-definition-provenance[PipelineRun definition provenance].
0 commit comments