ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,432 Commits 6 Branches 0 Tags
2e02b25da5c367bd225d061207d931ed8d570a12
Commit Graph

83 Commits

Author SHA1 Message Date
Jörg Thalheim
f2cbf14f7e webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-09-07 22:48:40 -04:00
Janne Heß
dc6fd37e02 Show queue runner v2 status 
This is guarded behind a setting and will overwrite everything that was
learned from the machines file. Also drops `sshKeys` since that wasn't
used anyway.
 2025-09-07 22:48:40 -04:00
Pierre Bourdon
17f9920cf9 jobset-eval: fix actions not showing up sometimes for new jobs 
New jobs have their "new" status take precedence over them being
"failed" or "queued", which means actions that can act on "failed" or
"queued" jobs weren't shown to the user when they could only act on
"new" jobs.

(cherry picked from commit 9a4a5dd624)
 2025-05-14 20:29:25 -04:00
ajs124
17094c8371 lazy-load evaluation errors 
Closes #1362
 2025-04-09 11:31:47 -04:00
Jörg Thalheim
b6f44b5cd0 Merge pull request #1402 from NixOS/like-sub 
tests: use `like` for testing regexes
 2024-09-15 23:50:13 +02:00
Martin Weinelt
f730433789 Create eval-jobset role and guard /api/push route 2024-08-27 19:49:05 +02:00
Janne Heß
916531dc9c api: Require POST for /api/push 2024-08-27 17:52:13 +02:00
Jörg Thalheim
250780aaf2 tests: use like for testing regexes 
This gives us better diagnostics when the test fails.
 2024-08-21 08:34:25 +02:00
Eelco Dolstra
ce001bb142 Relax time interval checks 
I saw one of these failing randomly.
 2023-06-23 15:09:09 +02:00
Maximilian Bosch
fd765bc97a Fix "My Jobs" tab in user dashboard 
Nowadays `Builds` doesn't reference `Project` directly anymore. This
means that simply resolving both `jobset` and `project` with a single
JOIN from `Builds` doesn't work anymore. Instead we need to resolve the
relation to `jobset` first and then the relation to `project`.

For similar fixes see e.g. c7c4759600.
 2022-11-22 20:54:51 +01:00
Maximilian Bosch
d3fe4ffbf6 Job: expose closuresize and size (output size in the UI) as prometheus metrics 2022-09-22 10:47:22 +02:00
Graham Christensen
5c90edd19f Merge pull request #1103 from DeterminateSystems/runcommand/dynamic 
Dynamic RunCommand
 2022-04-19 10:09:47 -04:00
Cole Helbling
edf3c348f2 hydra-queue-runner: make entire address configurable 2022-04-06 10:59:45 -07:00
Cole Helbling
9c1f36c47c t/lib/HydraTestContext: set queue runner port to 0 
This makes the exposer choose a random, available port.
 2022-03-29 11:41:23 -07:00
Cole Helbling
928ba9e854 Controller/{Jobset,Project}: error when enabling dynamic runcommand but it's disabled elsewhere 2022-02-11 14:35:52 -05:00
Graham Christensen
78e9872251 ldap.t: write the password to an external .conf file 2022-02-11 11:27:10 -05:00
Graham Christensen
848fb3b265 ldap-legacy.t: specify the root password manually 2022-02-11 11:26:56 -05:00
Graham Christensen
6637c03985 fixup normalization error regex 2022-02-11 10:59:24 -05:00
Graham Christensen
71c06f2ce7 LDAP normalization errors: note that the error came while normalizing the roles. 2022-02-11 10:55:27 -05:00
Graham Christensen
d6dea39912 ldap_role_map.t: fixup indentation 2022-02-11 10:53:08 -05:00
Graham Christensen
f07fb7d279 LDAP support: include BC support for the YAML based loading 
Includes a refactoring of the configuration loader.
 2022-02-11 10:49:38 -05:00
Graham Christensen
76b4b43ac5 Move ldap.t to a legacy-ldap.t, make ldap.t use the new format config. 2022-02-11 10:49:38 -05:00
Graham Christensen
d0bc0d0eda Merge pull request #1152 from DeterminateSystems/parallel-tests 
Parallel tests, fix a hydra-queue-runner race condition
 2022-02-10 12:11:20 -05:00
Graham Christensen
4f9aea9434 t/Hydra/Plugin/gitea.t: explain why we loop a few times 
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
 2022-02-10 12:02:29 -05:00
Graham Christensen
e709a17508 gitea.t: try opening the file a few times 2022-02-10 11:01:09 -05:00
Graham Christensen
80c6525029 LDAP: Create a test which does not use a VM 2022-02-09 20:56:10 -05:00
Graham Christensen
845e6d4760 captureStdoutStderr*: move to Hydra::Helper::Exec which helps avoid some environment variable fixation problems 2022-02-09 14:28:50 -05:00
Graham Christensen
517dce285a eval_added event: change interface to traceID\tjobsetID\tevaluationID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
d512e6220f eval_failed event: change interface to traceID\tjobsetID 
I was not going to break the interface until I noticed the other eval_* events used literal \ts
 2022-02-08 09:51:35 -05:00
Graham Christensen
2597fa8c11 eval_cached event: change interface to traceID\tjobsetID\tevaluationID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
c30f084f32 eval_started event: change interface to traceID\tjobsetID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
f648e91487 StepFinished.t: fixup use 2022-02-07 16:08:40 -05:00
Graham Christensen
7107ce2bc7 t/Event/* -> t/Hydra/Event/ 2022-02-07 16:08:40 -05:00
Graham Christensen
d8b56f022d RunCommand: print a warning if the hook isn't run because the project / jobset doens't have it enabled 2022-02-01 10:58:54 -05:00
Graham Christensen
38514ae494 fanout tests: capture warnings and test their relevance 2022-02-01 10:58:54 -05:00
Graham Christensen
2635607b6e whoops: add a test on the enable_dynamic_run_command field 2022-02-01 10:58:54 -05:00
Graham Christensen
1affb1cfb1 jobset API: expose and check the enable_dynamic_run_command 2022-02-01 10:58:54 -05:00
Graham Christensen
726ea80e99 HTTP/Jobset: support setting / reading enable_dynamic_run_command 2022-02-01 10:58:54 -05:00
Graham Christensen
0810f5debc finish making the dynamic hooks only run on project & jobset agreement 2022-02-01 10:58:54 -05:00
Graham Christensen
0c96172c28 RunCommand: only run dynamic runcommand hooks if the project AND jobset agree they should be enabled 2022-02-01 10:58:54 -05:00
Graham Christensen
3cce0c5ef6 Only run dynamic runcommand hooks if the jobset enables them 2022-02-01 10:57:30 -05:00
Graham Christensen
216d8bee35 DynamicRunCommand: don't run if the build failed 2022-02-01 10:57:30 -05:00
Graham Christensen
1a30a0c2f1 Dynamic RunCommand: validate that the job's out exists, is a file (or points to a file) which is executable. 2022-02-01 10:57:30 -05:00
Graham Christensen
c2be27e82b fanout.t: switch to makeAndEvaluateJobset 2022-02-01 10:57:30 -05:00
Graham Christensen
e7f68045f4 DynamicRunCommand: pull out the function determining if a build is 
eligible for execution under dynamic run commands.
 2022-02-01 10:57:30 -05:00
Graham Christensen
e56c49333f RunCommand: Add a WIP execution of dynamic commands 
This in-progress feature will run a dynamically generated set of
buildFinished hooks, which must be nested under the `runCommandHook.*`
attribute set. This implementation is not very good, with some to-dos:

1. Only run if the build succeeded
2. Verify the output is named $out and that it is an executable file
   (or a symlink to a file)
3. Require the jobset itself have a flag enabling the feature, since
   this feature can be a bit dangerous if various people of different
   trust levels can create the jobs.
 2022-02-01 10:57:30 -05:00
Graham Christensen
ea311a0eb4 RunCommand: enable the plugin if dynamicruncommand is set 2022-02-01 10:57:30 -05:00
Cole Helbling
61189ecca9 Helper/Nix: constructRunCommandLogPath: verify uuid is valid 
This shouldn't be possible normally, but it is possible to:

    $db->resultset('RunCommandLogs')->new({ uuid => "../etc/passwd" });

if you have access to the `$db`.
 2022-01-31 08:58:33 -08:00
Cole Helbling
2c6487b8d7 t/Helper: test constructRunCommandLogPath 2022-01-31 08:58:33 -08:00
Cole Helbling
8bf3cdbc67 t/Helper: switch to using test_context() 2022-01-31 08:58:33 -08:00