ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,472 Commits 6 Branches 0 Tags
5f530d7d56f3caafbb1b631e27dd1325d42ef8f4
Commit Graph

4472 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sandro
5f530d7d56 Fix webhook-secrets.conf permissions 
The secret is read by hydra-server which is run under hydra-www so that needs to be able to read the file.
 2025-08-12 16:36:39 +02:00
Janne Heß
f7bda020c6 Merge commit from fork 
webhooks: implement authentication for GitHub and Gitea
 2025-08-12 12:10:29 +02:00
Janne Heß
dea1e168f5 Merge commit from fork 
Fix GHSA-7qwg-q53v-vh99
 2025-08-12 12:06:18 +02:00
Jörg Thalheim
b47b187553 webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-08-10 12:41:47 +02:00
Janne Heß
c6424f37a6 templates: Hopefully escape all template inputs 2025-08-10 12:40:21 +02:00
Janne Heß
b94f47ed27 templates: Make whitespace in [% %] consistent 2025-08-10 12:40:21 +02:00
Janne Heß
615798a51e templates: Use HTML.attributes for all links 2025-08-10 12:40:21 +02:00
Janne Heß
99a6656b40 build: Properly escape all input values 2025-08-10 12:40:21 +02:00
Janne Heß
33b5c6fb41 product-list: Escape untrusted values 2025-08-10 12:40:21 +02:00
Janne Heß
5f226f3b6f hydra-queue-runner: Validate metric type 2025-08-10 12:40:21 +02:00
Janne Heß
7c4f0ab01a hydra-queue-runner: Validate hydra-metrics unit 2025-08-10 12:40:21 +02:00
Janne Heß
0d3842aa2f hydra-queue-runner: Validate metric name in hydra-metrics 2025-08-10 12:40:21 +02:00
Janne Heß
a0ba36db79 hydra-queue-runner: Validate release name 2025-08-10 12:40:21 +02:00
Janne Heß
552ca356ae hydra-queue-runner: Verify product names in hydra-build-products 2025-08-10 12:40:20 +02:00
John Ericson
79ba8fdd04 Merge pull request #1505 from NixOS/no-built-scripts-meson-shell 
package.nix: fix PATH for devshell
 2025-08-05 14:35:14 +00:00
Jörg Thalheim
c645b7ff67 package.nix: fix PATH for devshell 
We don't install scripts to build so this must point to src
 2025-08-05 00:22:46 +02:00
John Ericson
c12d0a66d8 Merge pull request #1503 from NixOS/libpqxx-and-ci 
Libpqxx and ci
 2025-08-04 22:13:09 +00:00
Jörg Thalheim
2f6ec150ec ci: also build on aarch64-linux 2025-08-04 17:44:16 -04:00
Jörg Thalheim
2b4f4cf6f4 cache build with the magic nix cache 2025-08-04 17:44:16 -04:00
Jörg Thalheim
e33b4f88dc queue-runner: Add missing signal.h include for SIGINT and kill() 2025-08-04 17:44:16 -04:00
Jörg Thalheim
a9b89ee779 Migrate from deprecated notification_receiver to connection::listen() 
libpqxx 7.10.1 deprecates the notification_receiver class.
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
84b4fe36b6 Fix libpqxx 7.10.1 API compatibility 
- Replace deprecated exec_params/exec_params0 calls with exec()
- Wrap all parameterized queries with pqxx::params{}
- Add .no_rows()/.one_row() to exec calls that don't return results
 2025-08-04 17:44:16 -04:00
Jörg Thalheim
081d0c079a hydra-eval-jobs: unset NIX_PATH 2025-08-04 17:44:16 -04:00
Jörg Thalheim
a75c5a405c docs/hacking: document how to run single tests 2025-08-04 17:44:16 -04:00
Janne Heß
85b330be41 hydra-queue-runner: Fix potential UB 
Removing two characters from a string when it starts with " can lead to
a substring call with -1
 2025-08-02 17:21:27 +02:00
Janne Heß
1657f6fff4 hydra-queue-runner: Fix crash when < > are in hydra-build-products 
This prevents a forever-hanging build (don't know why) when < or > are
in the path of hydra-build-products. This is not to prevent any XSS (see
next commits), just to prevent the DOS (if you can even call it that).
 2025-08-02 17:21:27 +02:00
Janne Heß
957884d174 Merge pull request #1501 from NixOS/fix/useless-message 
Remove useless previous eval message
 2025-08-02 12:26:54 +00:00
Janne Heß
05a05667d8 Merge branch 'master' into fix/useless-message 2025-08-02 14:21:44 +02:00
Janne Heß
0527fddd6a Remove useless previous eval message 
This message serves no purpose and looks like something went wrong.
There is nothing wrong, there is just no previous evaluation.
 2025-08-02 14:20:59 +02:00
Janne Heß
0017a1d0f3 Merge pull request #1498 from NixOS/feat/new-q-runner-machine-status 
machine-status: Render new queue runner details
 2025-08-02 12:11:07 +00:00
Janne Heß
e9895e81af Merge branch 'master' into feat/new-q-runner-machine-status 2025-08-02 14:05:55 +02:00
Janne Heß
424a767035 Merge pull request #1500 from NixOS/feat/improve-developer-expercience 
Improve general developer experience
 2025-08-02 12:05:41 +00:00
Janne Heß
7096ae3a5b machine-status: Fixup double localhost during development 2025-08-02 14:05:23 +02:00
Janne Heß
ec3d0c696b Fix the evaluator not finding hydra-eval-jobset 2025-08-02 13:53:25 +02:00
Janne Heß
d2c10bf851 Fixup static libraries in development server 2025-08-02 13:53:22 +02:00
Janne Heß
80b9d82ea4 Fix meson and ninja commands and link bootstrap 2025-08-02 13:41:39 +02:00
Janne Heß
85ab735653 Add nix-direnv 2025-08-02 13:41:16 +02:00
Janne Heß
632a59172a machine-status: Make new runner status prettier 
- Remove bottom margin
- Properly format memory in human format
- Calculate free memory
- Format the load with 2 digits after comma
- Lpad pressure percentages
- Use a macro to render pressure
- Score -> Scheduling Score
- More spacing in the load
- Add IRQ pressure
 2025-08-01 11:25:14 +02:00
Janne Heß
95f5d331ee Merge pull request #1499 from NixOS/feat/document-pg-conncetion 
Document how to connect to postgres
 2025-07-31 16:54:32 +00:00
Janne Heß
6e9e13333f Document how to connect to postgres 2025-07-31 18:48:47 +02:00
Janne Heß
7b1968236d machine-status: Render new queue runner details 2025-07-31 18:45:04 +02:00
Janne Heß
b812bb5017 Merge pull request #869 from andir/patch-1 
Add Queue Runner Status to the topbar
 2025-07-17 21:31:27 +00:00
Janne Heß
61573c71d1 Merge pull request #1497 from helsinki-systems/feat/show-new-q-runner-status 
Show queue runner v2 status
 2025-07-17 21:30:36 +00:00
Janne Heß
f50263976c Merge branch 'master' into patch-1 2025-07-17 23:21:18 +02:00
Janne Heß
c413b275ff Merge pull request #1206 from iwanders/CORE-21733-add-link-to-raw-log 
Add a link to the raw log.
 2025-07-16 20:18:43 +00:00
John Ericson
f7a9113166 Merge pull request #1494 from SuperSandro2000/patch-2 
module: sync with nixpkgs
 2025-07-16 19:44:14 +00:00
Janne Heß
97ec796db5 Merge branch 'master' into CORE-21733-add-link-to-raw-log 2025-07-16 18:42:40 +02:00
Janne Heß
42400ef20c Merge pull request #1156 from helsinki-systems/fix/local-store-detection 
Fix local store detection and related issues
 2025-07-16 16:31:15 +00:00
Janne Heß
2fcfa969b8 Merge branch 'master' into fix/local-store-detection 2025-07-16 18:25:54 +02:00
Janne Heß
4f3b783d30 Merge pull request #1493 from NixOS/hostname-utility 
Replace nettools with hostname-debian
 2025-07-16 16:22:17 +00:00