ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,483 Commits 3 Branches 0 Tags
137761f8cc5c7ea2d7bb53e10bc9e31d4ca275de
Commit Graph

4483 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jörg Thalheim
137761f8cc hydra-eval-jobset: disable eval cache 2025-08-28 12:08:01 +02:00
Jörg Thalheim
0d2a030661 Merge pull request #1510 from NixOS/fix/too-much-xss 
Fix too much XSS protections
 2025-08-14 16:26:09 +00:00
Janne Heß
fd0b8ec8e0 Fix too much XSS protections 
- Fixes build graphs
- Fixes pagination
- Fixes pressure of new queue runner
 2025-08-14 12:25:17 +02:00
Jörg Thalheim
81fd47df42 Merge pull request #1504 from ulucs/patch-1 
Correctly apply the setting `allow_import_from_derivation = true`
 2025-08-13 06:48:18 +00:00
Jörg Thalheim
2c4460942d Merge pull request #1509 from SuperSandro2000/patch-2 
Fix webhook-secrets.conf permissions for real
 2025-08-13 06:47:48 +00:00
Martin Weinelt
2e41e7e8e2 Merge pull request #1507 from NixOS/compare-active-jobsets 
jobset-eval: reduce compare options to active jobsets
 2025-08-12 22:42:08 +00:00
Sandro
242eb72dbb Fix webhook-secrets.conf permissions for real 
I did not notice in #1508 that the hydra evaluator now crashed because the hydra config is shared between all components, all of them need to be able to read the secret.
 2025-08-12 23:38:05 +02:00
Janne Heß
bddf15de46 Merge pull request #1508 from SuperSandro2000/patch-2 
Fix webhook-secrets.conf permissions
 2025-08-12 16:55:57 +00:00
Sandro
5f530d7d56 Fix webhook-secrets.conf permissions 
The secret is read by hydra-server which is run under hydra-www so that needs to be able to read the file.
 2025-08-12 16:36:39 +02:00
Martin Weinelt
e851d9f9f6 jobset-eval: reduce compare options to active jobsets 
The list of jobsets is very high on hydra.nixos.org and the compare to
dropdown listing goes over multiple full pages in the busy projects.

If we ignore jobsets that we disable this interface becomes more usable
again.
 2025-08-12 12:40:12 +02:00
Janne Heß
f7bda020c6 Merge commit from fork 
webhooks: implement authentication for GitHub and Gitea
 2025-08-12 12:10:29 +02:00
Janne Heß
dea1e168f5 Merge commit from fork 
Fix GHSA-7qwg-q53v-vh99
 2025-08-12 12:06:18 +02:00
Jörg Thalheim
b47b187553 webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-08-10 12:41:47 +02:00
Janne Heß
c6424f37a6 templates: Hopefully escape all template inputs 2025-08-10 12:40:21 +02:00
Janne Heß
b94f47ed27 templates: Make whitespace in [% %] consistent 2025-08-10 12:40:21 +02:00
Janne Heß
615798a51e templates: Use HTML.attributes for all links 2025-08-10 12:40:21 +02:00
Janne Heß
99a6656b40 build: Properly escape all input values 2025-08-10 12:40:21 +02:00
Janne Heß
33b5c6fb41 product-list: Escape untrusted values 2025-08-10 12:40:21 +02:00
Janne Heß
5f226f3b6f hydra-queue-runner: Validate metric type 2025-08-10 12:40:21 +02:00
Janne Heß
7c4f0ab01a hydra-queue-runner: Validate hydra-metrics unit 2025-08-10 12:40:21 +02:00
Janne Heß
0d3842aa2f hydra-queue-runner: Validate metric name in hydra-metrics 2025-08-10 12:40:21 +02:00
Janne Heß
a0ba36db79 hydra-queue-runner: Validate release name 2025-08-10 12:40:21 +02:00
Janne Heß
552ca356ae hydra-queue-runner: Verify product names in hydra-build-products 2025-08-10 12:40:20 +02:00
John Ericson
79ba8fdd04 Merge pull request #1505 from NixOS/no-built-scripts-meson-shell 
package.nix: fix PATH for devshell
 2025-08-05 14:35:14 +00:00
ulucs
b98f9f8e48 Change the default value for allow_import_from_derivation configuration option to false 2025-08-05 14:29:56 +02:00
ulucs
476c1a6200 Add parentheses to fix operator precedence 2025-08-05 12:43:51 +02:00
Jörg Thalheim
c645b7ff67 package.nix: fix PATH for devshell 
We don't install scripts to build so this must point to src
 2025-08-05 00:22:46 +02:00
John Ericson
c12d0a66d8 Merge pull request #1503 from NixOS/libpqxx-and-ci 
Libpqxx and ci
 2025-08-04 22:13:09 +00:00
Jörg Thalheim
2f6ec150ec ci: also build on aarch64-linux 2025-08-04 17:44:16 -04:00
Jörg Thalheim
2b4f4cf6f4 cache build with the magic nix cache 2025-08-04 17:44:16 -04:00
Jörg Thalheim
e33b4f88dc queue-runner: Add missing signal.h include for SIGINT and kill() 2025-08-04 17:44:16 -04:00
Jörg Thalheim
a9b89ee779 Migrate from deprecated notification_receiver to connection::listen() 
libpqxx 7.10.1 deprecates the notification_receiver class.
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
84b4fe36b6 Fix libpqxx 7.10.1 API compatibility 
- Replace deprecated exec_params/exec_params0 calls with exec()
- Wrap all parameterized queries with pqxx::params{}
- Add .no_rows()/.one_row() to exec calls that don't return results
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
081d0c079a hydra-eval-jobs: unset NIX_PATH 2025-08-04 17:44:16 -04:00
Jörg Thalheim
a75c5a405c docs/hacking: document how to run single tests 2025-08-04 17:44:16 -04:00
Janne Heß
85b330be41 hydra-queue-runner: Fix potential UB 
Removing two characters from a string when it starts with " can lead to
a substring call with -1
 2025-08-02 17:21:27 +02:00
Janne Heß
1657f6fff4 hydra-queue-runner: Fix crash when < > are in hydra-build-products 
This prevents a forever-hanging build (don't know why) when < or > are
in the path of hydra-build-products. This is not to prevent any XSS (see
next commits), just to prevent the DOS (if you can even call it that).
 2025-08-02 17:21:27 +02:00
Janne Heß
957884d174 Merge pull request #1501 from NixOS/fix/useless-message 
Remove useless previous eval message
 2025-08-02 12:26:54 +00:00
Janne Heß
05a05667d8 Merge branch 'master' into fix/useless-message 2025-08-02 14:21:44 +02:00
Janne Heß
0527fddd6a Remove useless previous eval message 
This message serves no purpose and looks like something went wrong.
There is nothing wrong, there is just no previous evaluation.
 2025-08-02 14:20:59 +02:00
Janne Heß
0017a1d0f3 Merge pull request #1498 from NixOS/feat/new-q-runner-machine-status 
machine-status: Render new queue runner details
 2025-08-02 12:11:07 +00:00
Janne Heß
e9895e81af Merge branch 'master' into feat/new-q-runner-machine-status 2025-08-02 14:05:55 +02:00
Janne Heß
424a767035 Merge pull request #1500 from NixOS/feat/improve-developer-expercience 
Improve general developer experience
 2025-08-02 12:05:41 +00:00
Janne Heß
7096ae3a5b machine-status: Fixup double localhost during development 2025-08-02 14:05:23 +02:00
Janne Heß
ec3d0c696b Fix the evaluator not finding hydra-eval-jobset 2025-08-02 13:53:25 +02:00
Janne Heß
d2c10bf851 Fixup static libraries in development server 2025-08-02 13:53:22 +02:00
Janne Heß
80b9d82ea4 Fix meson and ninja commands and link bootstrap 2025-08-02 13:41:39 +02:00
Janne Heß
85ab735653 Add nix-direnv 2025-08-02 13:41:16 +02:00
Janne Heß
632a59172a machine-status: Make new runner status prettier 
- Remove bottom margin
- Properly format memory in human format
- Calculate free memory
- Format the load with 2 digits after comma
- Lpad pressure percentages
- Use a macro to render pressure
- Score -> Scheduling Score
- More spacing in the load
- Add IRQ pressure
 2025-08-01 11:25:14 +02:00
Janne Heß
95f5d331ee Merge pull request #1499 from NixOS/feat/document-pg-conncetion 
Document how to connect to postgres
 2025-07-31 16:54:32 +00:00