jobs/tools: Do not inline token in script setting gitlab webhooks

Pass it as a hidden parameter instead as jenkins now requires to manually validate each groovy script for security concerns. As a script is identified by the hash of its content, proceeding like this avoid to revalidate the webhooks setting script each time the token is rotated.

jobs/tools: Do not inline token in script setting gitlab webhooks
Pass it as a hidden parameter instead as jenkins now requires to manually validate each groovy script for security concerns. As a script is identified by the hash of its content, proceeding like this avoid to revalidate the webhooks setting script each time the token is rotated.
49421e8d · Antoine Lambert · 1678ed21 · 49421e8d · 49421e8d · 49421e8d
Commit 49421e8d authored 1 year ago by Antoine Lambert
--- a/jobs/tools/jenkins-jobs-builder.groovy.j2
+++ b/jobs/tools/jenkins-jobs-builder.groovy.j2
@@ -45,6 +45,9 @@ pipeline {
          sh('tox -- update --delete-old')
          build(
            job: '/jenkins-tools/setup-gitlab-webhooks',
+            parameters: [
+              string(name: 'jenkins_token', value: "${jenkins_token}"),
+            ]
          )
        }
      }

--- a/jobs/tools/jenkins-jobs-builder.yaml
+++ b/jobs/tools/jenkins-jobs-builder.yaml
@@ -22,6 +22,11 @@
          cancel-pending-builds-on-update: true
          # secret jenkins token is generated when executing tox
          secret-token: !include-raw: jobs/templates/jenkins-token
+    parameters:
+      - hidden:
+          name: jenkins_token
+          description: Secret webhooks token to trigger jobs
+          default: !include-raw: jobs/templates/jenkins-token
    dsl: !include-jinja2: jenkins-jobs-builder.groovy.j2

--- a/jobs/tools/setup-gitlab-webhooks.groovy.j2
+++ b/jobs/tools/setup-gitlab-webhooks.groovy.j2
@@ -78,7 +78,7 @@ void setupGitlabWebhook(gitlabProjectName, jenkinsProjectName, pushEvents = true
      "note_events": "${mergeRequestEvents}",
      "merge_requests_events": "${mergeRequestEvents}",
      "tag_push_events": "${tagPushEvents}",
-      "token": "{{jenkins_token}}"
+      "token": "${jenkins_token}"
    }
    """

--- a/jobs/tools/setup-gitlab-webhooks.yaml
+++ b/jobs/tools/setup-gitlab-webhooks.yaml
@@ -4,8 +4,6 @@
    project-type: pipeline
    description: Setup Jenkins integration for a GitLab repository
    node: built-in
-    # secret jenkins token is generated when executing tox
-    jenkins_token: !include-raw: jobs/templates/jenkins-token
    parameters:
      - string:
          name: gitlab_url
@@ -15,6 +13,11 @@
          name: jenkins_url
          description: URL of Jenkins instance
          default: https://jenkins.softwareheritage.org
+      - hidden:
+          name: jenkins_token
+          description: Secret webhooks token to trigger jobs
+          # secret jenkins token is generated when executing tox
+          default: !include-raw: jobs/templates/jenkins-token
    dsl: !include-jinja2: setup-gitlab-webhooks.groovy.j2