fix(codespaces): fix reverse proxy warning and enable CSP (#2185)

gounthar · web-flow · commit ac1c42dc3817 · 2026-04-21T15:50:46.000+02:00
Backport of the main branch fix. Same three changes:
- docker-compose.yaml: pass CODESPACE_NAME and
  GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN into the discovery container
- find-name.sh: update unclassified.location.url and suppress
  ReverseProxySetupMonitor when running in Codespaces
- jenkins.yaml: add security.contentSecurityPolicy to clear the CSP
  administrative monitor warning

Signed-off-by: Bruno Verachten &lt;gounthar@gmail.com&gt;
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -28,6 +28,9 @@ services:
     stdin_open: true
     tty: true
     entrypoint: sh -c "/usr/local/bin/find-name.sh"
+    environment:
+      - CODESPACE_NAME=${CODESPACE_NAME:-}
+      - GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN=${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN:-}
     profiles:
       - maven
       - python
diff --git a/dockerfiles/agent-discovery/find-name.sh b/dockerfiles/agent-discovery/find-name.sh
@@ -31,6 +31,15 @@ cat /var/jenkins_home/jenkins.yaml
 # Hopefully, Jenkins will load this JCasc configuration after we change the value
 # We will modify this file later on with the name of the agent machine, but this change has to happen as soon as possible, so Jenkins knows the token to reload the configuration later on, once we have found the agent machine name.
 
+# If running in GitHub Codespaces, update the Jenkins root URL so the reverse proxy check passes
+if [ -n "${CODESPACE_NAME:-}" ] && [ -n "${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN:-}" ]; then
+    JENKINS_URL="https://${CODESPACE_NAME}-8080.${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN}/"
+    export JENKINS_URL
+    yq eval -i '.unclassified.location.url = env(JENKINS_URL)' /var/jenkins_home/jenkins.yaml
+    yq eval -i '(.jenkins.disabledAdministrativeMonitors // []) as $m | .jenkins.disabledAdministrativeMonitors = ($m + ["hudson.diagnosis.ReverseProxySetupMonitor"] | unique)' /var/jenkins_home/jenkins.yaml
+    echo "✅ Codespaces detected — Jenkins URL set to: ${JENKINS_URL}"
+fi
+
 # Get the IP address of the host machine
 # The hostname -I command is used to print all network addresses of the host.
 # The awk command is used to print the first field (the first IP address).
diff --git a/dockerfiles/jenkins.yaml b/dockerfiles/jenkins.yaml
@@ -39,6 +39,15 @@ credentials:
               privateKey: ${readFile:/ssh-dir/jenkins_agent_ed}
           scope: SYSTEM
           username: "jenkins"
+security:
+  contentSecurityPolicy:
+    header: >-
+      sandbox allow-same-origin allow-scripts allow-popups allow-forms;
+      default-src 'self';
+      img-src 'self' data:;
+      style-src 'self' 'unsafe-inline';
+      script-src 'self' 'unsafe-inline';
+      font-src 'self';
 unclassified:
   location:
     url: "http://127.0.0.1:8080/"
