ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,493 Commits 3 Branches 0 Tags
75824e546f1d05ab015efe8977a955ea64bfc302
Commit Graph

87 Commits

Author SHA1 Message Date
Sandro
242eb72dbb Fix webhook-secrets.conf permissions for real 
I did not notice in #1508 that the hydra evaluator now crashed because the hydra config is shared between all components, all of them need to be able to read the secret.
 2025-08-12 23:38:05 +02:00
Sandro
5f530d7d56 Fix webhook-secrets.conf permissions 
The secret is read by hydra-server which is run under hydra-www so that needs to be able to read the file.
 2025-08-12 16:36:39 +02:00
Jörg Thalheim
b47b187553 webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-08-10 12:41:47 +02:00
Jörg Thalheim
a75c5a405c docs/hacking: document how to run single tests 2025-08-04 17:44:16 -04:00
Dionysis Grigoropoulos
62fcacb7d2 fix: Update Nix download url 2025-07-15 19:45:13 +03:00
Julien Marquet
635aff50dd docs: refine instructions for proxy setting 2025-05-27 12:45:12 -04:00
Thomas Nixon
8bb7d27588 doc/manual: correct nginx reverse proxy example 
- hydra does not remove the base URI from the request before processing
  it, so this must be done in the reverse proxy. in nginx this is done
  by giving proxy_pass a URI rather than a protocol/host/port; see:

  https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

- proxy_redirect is not correct/required: hydra uses proxy headers to
  correctly form redirects in most cases, and where it doesn't it
  produces local redirects which aren't matched by this directive anyway
 2025-05-23 23:39:44 +01:00
Jörg Thalheim
ae18a7b3ae fix development workflow after switching to meson-based build 2025-03-29 14:31:18 +00:00
Janne Heß
c8b7a0fea9 Merge pull request #1403 from NixOS/docs 
Devdocs: mention nix develop and nproc
 2024-09-03 15:03:01 +02:00
Martin Weinelt
f730433789 Create eval-jobset role and guard /api/push route 2024-08-27 19:49:05 +02:00
Jörg Thalheim
02a514234b hacking.md: make build parallel 2024-08-21 08:42:22 +02:00
Jörg Thalheim
54a9729a0f hacking.md: mention nix develop 2024-08-21 08:42:22 +02:00
Sandro Jäckel
b2b2d6e26c Expand docs with new compression options 2024-08-18 17:59:36 +02:00
marius david
ada51d70fc Document the default user and port in hacking.md 2024-07-23 22:39:22 +02:00
John Ericson
d7986226f0 Merge pull request #1227 from SuperSandro2000/gitea-push-hook 
Add gitea push hook
 2024-07-09 14:31:10 -04:00
John Ericson
838648c0ce Merge pull request #1349 from NixOS/ca-no-new-col 
Allow building content-addressed derivations with hydra, minimally
 2024-01-26 17:54:02 -05:00
Maximilian Bosch
8477009310 doc/manual: fix instructions in contribution guidelines 
In 5db374cb50 the `bootstrap` script was
removed, however it's still referenced in the contribution guidelines.
Change that to `autoreconfPhase` as intended by the commit.
 2024-01-26 17:28:07 +01:00
John Ericson
323b556dc8 Minimal CA support 
This verison has a worse UI, but also chnages the schema less: One
non-null constraint is removed, but no new columns are added.

Co-Authored-By: Andrea Ciceri <andrea.ciceri@autistici.org>
Co-Authored-By: regnat <rg@regnat.ovh>
 2024-01-26 00:34:58 -05:00
Jack Kelly
abd858d3dc Document the store_uri parameter by way of example 2023-12-19 07:54:40 +10:00
Sandro
7f816e3237 Fix link 2022-12-05 00:35:05 +01:00
Sandro
213879484d Fix example config 2022-12-05 00:22:35 +01:00
MaxHearnden
c737bed42f Fix insecure advice in the manual 
Bring the manual in line with the configuration documentation
 2022-10-19 16:24:01 +01:00
Jörg Thalheim
2ff67cbacc docs/hacking: update nixos module option for nix-daemon 2022-09-27 22:44:43 +02:00
Janne Heß
371402c3c1 Drop the HipChat plugin 
https://en.wikipedia.org/wiki/HipChat says:
> Following this, HipChat and Stride customers were migrated to the
> Slack group collaboration platform in a transition that was completed by
> February 2019.
 2022-08-20 19:16:43 +02:00
Maximilian Bosch
f6d45b0f0c doc/configuration: fix ldap role mapping example 
To group is called `cancel-build`, not `cancel-builds` (note the
trailing `s`).
 2022-08-08 13:35:56 +02:00
Sandro Jäckel
750978a192 Add gitea push hook 2022-06-18 13:22:42 +02:00
Graham Christensen
5c90edd19f Merge pull request #1103 from DeterminateSystems/runcommand/dynamic 
Dynamic RunCommand
 2022-04-19 10:09:47 -04:00
Cole Helbling
be6077d2bb doc/manual: demonstrate ipv6 metrics address for queue-runner 2022-04-07 11:29:18 -07:00
Cole Helbling
ae690d6602 doc/manual: fixup configuration option name 
Oops.
 2022-04-07 10:40:50 -07:00
Cole Helbling
15e8fa8aff doc/manual: document queue-runner prometheus exporter configuration 2022-04-06 11:41:40 -07:00
Cole Helbling
3b895aec54 DynamicRunCommand: needs to be enabled by server, project, and jobset 2022-02-11 14:35:52 -05:00
Graham Christensen
05ca71069f ldap config: document putting the password in a separate file 2022-02-11 11:24:45 -05:00
Graham Christensen
185100adb8 docs: fixup 2022-02-11 10:50:58 -05:00
Graham Christensen
f07fb7d279 LDAP support: include BC support for the YAML based loading 
Includes a refactoring of the configuration loader.
 2022-02-11 10:49:38 -05:00
Janne Heß
61d74a7194 Redo LDAP config in the main configuration and add role mappings 2022-02-11 10:49:38 -05:00
Graham Christensen
517dce285a eval_added event: change interface to traceID\tjobsetID\tevaluationID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
d512e6220f eval_failed event: change interface to traceID\tjobsetID 
I was not going to break the interface until I noticed the other eval_* events used literal \ts
 2022-02-08 09:51:35 -05:00
Graham Christensen
2597fa8c11 eval_cached event: change interface to traceID\tjobsetID\tevaluationID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
c30f084f32 eval_started event: change interface to traceID\tjobsetID 
I was not going to break the interface until I noticed
the current implementation uses the string literal \t.
 2022-02-08 09:51:35 -05:00
Graham Christensen
c0eb873379 notifications: document eval_* 2022-02-07 18:08:01 -05:00
Graham Christensen
1802bd0113 Declarative Jobs: add support for the enable_dynamic_run_command flag 2022-02-01 10:58:54 -05:00
Graham Christensen
6ffc93c01a RunCommand: write documentation for dynamic commands 2022-02-01 10:57:30 -05:00
Graham Christensen
4ea646130c RunCommand: split out documentation, fixup the matcher syntax 2022-02-01 10:57:30 -05:00
Graham Christensen
bb68b56f61 Merge pull request #1133 from helsinki-systems/doc/config-format 
doc: Document the file format of the config
 2022-01-21 20:49:18 -05:00
Graham Christensen
44cd890ae3 Merge pull request #1130 from DeterminateSystems/prompt-password 
hydra-create-user: support prompting for password
 2022-01-21 15:38:39 -05:00
Janne Heß
56308dbb05 doc: Document the file format of the config 2022-01-21 20:48:50 +01:00
Graham Christensen
da1af1ce68 Docs: use hydra-create-user --password-prompt 2022-01-21 13:05:12 -05:00
Johannes Maier
4476aba5f7 Fix invalid YAML in documentation 2022-01-21 16:38:59 +01:00
Graham Christensen
42edd3a9d8 hydra-notify: respond to cached_build_queued 2022-01-14 09:13:17 -05:00
Graham Christensen
6b7f1da11e hydra-notify: operate on cached_build_finished events 2022-01-14 09:13:17 -05:00