Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/trigger_jenkins.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Trigger Jenkins CI
on:
- push
- pull_request
jobs:
# This workflow contains a single job called "trigger_jenkins"
trigger_jenkins:
# The type of runner that the job will run on
#runs-on: jenkins-trigger
runs-on: self-hosted
env:
REPO_NAME: ${{ github.event.repository.name }}
ORG_NAME: ${{ github.event.organization.login }}
JENKINS_ROOT: ${{ secrets.JENKINS_CONTROLLER_URL }}job/${{ secrets.JENKINS_TRIGGER_ROOT_FOLDER }}/job/${{ secrets.JENKINS_TRIGGER_ORG_FOLDER }}/job/
steps:
- name: trigger single Job

Check notice on line 16 in .github/workflows/trigger_jenkins.yaml

View check run for this annotation

DynamoDS Chorus / security/checkov

CKV_GHA_3

Suspicious use of curl with secrets
run: >
curl -X POST -u "${{ secrets.JENKINS_TRIGGER_USER }}:${{ secrets.JENKINS_TRIGGER_TOKEN }}"
${{ env.JENKINS_ROOT}}/${{ env.ORG_NAME }}/job/${{ env.REPO_NAME }}/build\?delay=\0
Comment on lines +10 to +19

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 year ago

To fix the issue, we will add a permissions block at the root level of the workflow. This block will explicitly define the least privileges required for the workflow. Since the workflow only triggers a Jenkins job and does not interact with the repository contents, we will set contents: read as the minimal permission. This ensures that the workflow has read-only access to the repository contents and no write access.

The changes will be made to the .github/workflows/trigger_jenkins.yaml file. No additional methods, imports, or definitions are required.


Suggested changeset 1
.github/workflows/trigger_jenkins.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/trigger_jenkins.yaml b/.github/workflows/trigger_jenkins.yaml
--- a/.github/workflows/trigger_jenkins.yaml
+++ b/.github/workflows/trigger_jenkins.yaml
@@ -1,2 +1,4 @@
 name: Trigger Jenkins CI
+permissions:
+  contents: read
 on:
EOF
@@ -1,2 +1,4 @@
name: Trigger Jenkins CI
permissions:
contents: read
on:
Copilot is powered by AI and may make mistakes. Always verify output.
14 changes: 14 additions & 0 deletions Jenkins.cbci
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
@Library(['PSL@LKG']) _

library identifier: 'cBuild_PSL@main', retriever: modernSCM([
$class: 'GitSCMSource',
remote: 'https://git.autodesk.com/ContinuousLocalization/PSL_cBuild.git',
credentialsId: 'L10NCBCI-github-app-psl-ContinuousLocalization',
])

devRepoParameters("DynamoCore_CL")

node("cl-prd-azure-dynamic-win-vm") {
cleanWs()
devRepo()
}
Loading