ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,518 Commits 7 Branches 0 Tags
3bd87005f749fdf75af776d3871178a5a224c7ad
Commit Graph

3132 Commits

Author SHA1 Message Date
Jörg Thalheim
241ab71800 Merge pull request #1536 from NixOS/fix-1535 
Revert "Deduplicate protocol code more with `ServeProto::BasicClientConnection`
 2025-11-06 19:23:48 +00:00
Jörg Thalheim
78ed8d7aa5 Merge pull request #1533 from hacker1024/patch-3 
GithubRefs: Allow arbitrary ref types
 2025-11-06 09:38:05 +00:00
John Ericson
4bd941daa8 Revert "Deduplicate protocol code more with ServeProto::BasicClientConnection" 
This reverts commit 58846b0a1c.
 2025-10-30 14:01:38 -04:00
John Ericson
449791b1c7 Upgrade Nix to 2.32 2025-10-16 01:58:08 -04:00
Joshua Leivenzon
d7b40c4233 GithubRefs: Allow arbitrary ref types 
GitHub's reference list API does not actually restrict the specified type, so don't artificially restrict it.

The API does not actually make a distinction between the "type" and "prefix" at all, but this is maintained for backwards compatibility. The two are simply concatenated.
 2025-10-16 16:35:31 +11:00
John Ericson
58846b0a1c Deduplicate protocol code more with ServeProto::BasicClientConnection 
I did this in Nix for this purpose, but didn't get around to actually
taking advantage of it here, until now.
 2025-10-15 18:00:20 -04:00
John Ericson
f1463d4bce Merge pull request #1522 from NixOS/no-jq 
hydra-plugins: replace jq with perl's own canonical json output
 2025-10-10 14:19:58 +00:00
Jörg Thalheim
a499063834 bump to nix/nix-eval-jobs 2.31 2025-10-08 16:47:31 -04:00
Jörg Thalheim
7fa3da755e hydra-plugins: replace jq with perl's own canonical json output 2025-09-13 09:18:05 +02:00
Jörg Thalheim
56f07573ea Avoid shadowing internal run function by renaming it to runCommand 
see https://github.com/NixOS/hydra/issues/1520
 2025-09-12 21:45:58 +02:00
Jörg Thalheim
b0c1f689c2 Merge pull request #1506 from NixOS/ipc 
Stop shelling out
 2025-08-29 09:15:49 +00:00
Jörg Thalheim
5cc6ae3ca3 replace all system() shell invocation with safer non-shell alternative 2025-08-28 13:08:59 +02:00
Jörg Thalheim
c6139736ed add perlcritic module to disallow system/exec 2025-08-28 13:08:59 +02:00
Jörg Thalheim
29734ae51f replace backtick operator with run3 2025-08-28 13:08:59 +02:00
Jörg Thalheim
137761f8cc hydra-eval-jobset: disable eval cache 2025-08-28 12:08:01 +02:00
Janne Heß
fd0b8ec8e0 Fix too much XSS protections 
- Fixes build graphs
- Fixes pagination
- Fixes pressure of new queue runner
 2025-08-14 12:25:17 +02:00
Jörg Thalheim
81fd47df42 Merge pull request #1504 from ulucs/patch-1 
Correctly apply the setting `allow_import_from_derivation = true`
 2025-08-13 06:48:18 +00:00
Martin Weinelt
e851d9f9f6 jobset-eval: reduce compare options to active jobsets 
The list of jobsets is very high on hydra.nixos.org and the compare to
dropdown listing goes over multiple full pages in the busy projects.

If we ignore jobsets that we disable this interface becomes more usable
again.
 2025-08-12 12:40:12 +02:00
Janne Heß
f7bda020c6 Merge commit from fork 
webhooks: implement authentication for GitHub and Gitea
 2025-08-12 12:10:29 +02:00
Janne Heß
dea1e168f5 Merge commit from fork 
Fix GHSA-7qwg-q53v-vh99
 2025-08-12 12:06:18 +02:00
Jörg Thalheim
b47b187553 webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-08-10 12:41:47 +02:00
Janne Heß
c6424f37a6 templates: Hopefully escape all template inputs 2025-08-10 12:40:21 +02:00
Janne Heß
b94f47ed27 templates: Make whitespace in [% %] consistent 2025-08-10 12:40:21 +02:00
Janne Heß
615798a51e templates: Use HTML.attributes for all links 2025-08-10 12:40:21 +02:00
Janne Heß
99a6656b40 build: Properly escape all input values 2025-08-10 12:40:21 +02:00
Janne Heß
33b5c6fb41 product-list: Escape untrusted values 2025-08-10 12:40:21 +02:00
Janne Heß
5f226f3b6f hydra-queue-runner: Validate metric type 2025-08-10 12:40:21 +02:00
Janne Heß
7c4f0ab01a hydra-queue-runner: Validate hydra-metrics unit 2025-08-10 12:40:21 +02:00
Janne Heß
0d3842aa2f hydra-queue-runner: Validate metric name in hydra-metrics 2025-08-10 12:40:21 +02:00
Janne Heß
a0ba36db79 hydra-queue-runner: Validate release name 2025-08-10 12:40:21 +02:00
Janne Heß
552ca356ae hydra-queue-runner: Verify product names in hydra-build-products 2025-08-10 12:40:20 +02:00
ulucs
b98f9f8e48 Change the default value for allow_import_from_derivation configuration option to false 2025-08-05 14:29:56 +02:00
ulucs
476c1a6200 Add parentheses to fix operator precedence 2025-08-05 12:43:51 +02:00
Jörg Thalheim
e33b4f88dc queue-runner: Add missing signal.h include for SIGINT and kill() 2025-08-04 17:44:16 -04:00
Jörg Thalheim
a9b89ee779 Migrate from deprecated notification_receiver to connection::listen() 
libpqxx 7.10.1 deprecates the notification_receiver class.
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
84b4fe36b6 Fix libpqxx 7.10.1 API compatibility 
- Replace deprecated exec_params/exec_params0 calls with exec()
- Wrap all parameterized queries with pqxx::params{}
- Add .no_rows()/.one_row() to exec calls that don't return results
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
081d0c079a hydra-eval-jobs: unset NIX_PATH 2025-08-04 17:44:16 -04:00
Janne Heß
85b330be41 hydra-queue-runner: Fix potential UB 
Removing two characters from a string when it starts with " can lead to
a substring call with -1
 2025-08-02 17:21:27 +02:00
Janne Heß
1657f6fff4 hydra-queue-runner: Fix crash when < > are in hydra-build-products 
This prevents a forever-hanging build (don't know why) when < or > are
in the path of hydra-build-products. This is not to prevent any XSS (see
next commits), just to prevent the DOS (if you can even call it that).
 2025-08-02 17:21:27 +02:00
Janne Heß
05a05667d8 Merge branch 'master' into fix/useless-message 2025-08-02 14:21:44 +02:00
Janne Heß
0527fddd6a Remove useless previous eval message 
This message serves no purpose and looks like something went wrong.
There is nothing wrong, there is just no previous evaluation.
 2025-08-02 14:20:59 +02:00
Janne Heß
0017a1d0f3 Merge pull request #1498 from NixOS/feat/new-q-runner-machine-status 
machine-status: Render new queue runner details
 2025-08-02 12:11:07 +00:00
Janne Heß
7096ae3a5b machine-status: Fixup double localhost during development 2025-08-02 14:05:23 +02:00
Janne Heß
d2c10bf851 Fixup static libraries in development server 2025-08-02 13:53:22 +02:00
Janne Heß
632a59172a machine-status: Make new runner status prettier 
- Remove bottom margin
- Properly format memory in human format
- Calculate free memory
- Format the load with 2 digits after comma
- Lpad pressure percentages
- Use a macro to render pressure
- Score -> Scheduling Score
- More spacing in the load
- Add IRQ pressure
 2025-08-01 11:25:14 +02:00
Janne Heß
7b1968236d machine-status: Render new queue runner details 2025-07-31 18:45:04 +02:00
Janne Heß
b812bb5017 Merge pull request #869 from andir/patch-1 
Add Queue Runner Status to the topbar
 2025-07-17 21:31:27 +00:00
Janne Heß
61573c71d1 Merge pull request #1497 from helsinki-systems/feat/show-new-q-runner-status 
Show queue runner v2 status
 2025-07-17 21:30:36 +00:00
Janne Heß
f50263976c Merge branch 'master' into patch-1 2025-07-17 23:21:18 +02:00
Janne Heß
97ec796db5 Merge branch 'master' into CORE-21733-add-link-to-raw-log 2025-07-16 18:42:40 +02:00