ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
4,436 Commits 3 Branches 0 Tags
db6fcabbf3d23e200553e479d268eb632985e526
Commit Graph

4436 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
ahuston-0
db6fcabbf3 sync gitea changes with github changes 2025-09-07 23:37:33 -04:00
Notarin Steele
3bc4685259 docs: tiny typo fix in README.md 2025-09-07 22:48:41 -04:00
Jörg Thalheim
6138de486c replace all system() shell invocation with safer non-shell alternative 2025-09-07 22:48:41 -04:00
Jörg Thalheim
a63ed33f9c perlcritic: run with --quiet flag to not log all files 
we only want warnings, we don't care which files have been checked.
 2025-09-07 22:48:41 -04:00
Jörg Thalheim
2e02b25da5 add perlcritic module to disallow system/exec 2025-09-07 22:48:41 -04:00
Jörg Thalheim
b9465afb85 replace backtick operator with run3 2025-09-07 22:48:41 -04:00
Jörg Thalheim
3a50e31799 perlcritic: no longer allow qx/backticks 2025-09-07 22:48:41 -04:00
Jörg Thalheim
5b4d0b6f4b hydra-eval-jobset: disable eval cache 2025-09-07 22:48:41 -04:00
Robin Stumm
7321b29196 document force parameter for /api/push 2025-09-07 22:48:41 -04:00
Janne Heß
6c8d789541 Fix too much XSS protections 
- Fixes build graphs
- Fixes pagination
- Fixes pressure of new queue runner
 2025-09-07 22:48:41 -04:00
ulucs
d9fa44d227 Change the default value for allow_import_from_derivation configuration option to false 2025-09-07 22:48:41 -04:00
ulucs
9dab0aed49 Add parentheses to fix operator precedence 2025-09-07 22:48:41 -04:00
Sandro
76c6695587 Fix webhook-secrets.conf permissions for real 
I did not notice in #1508 that the hydra evaluator now crashed because the hydra config is shared between all components, all of them need to be able to read the secret.
 2025-09-07 22:48:41 -04:00
Martin Weinelt
d9020e6f1d jobset-eval: reduce compare options to active jobsets 
The list of jobsets is very high on hydra.nixos.org and the compare to
dropdown listing goes over multiple full pages in the busy projects.

If we ignore jobsets that we disable this interface becomes more usable
again.
 2025-09-07 22:48:41 -04:00
Sandro
27c7476c3d Fix webhook-secrets.conf permissions 
The secret is read by hydra-server which is run under hydra-www so that needs to be able to read the file.
 2025-09-07 22:48:41 -04:00
Jörg Thalheim
f2cbf14f7e webhooks: implement authentication for GitHub and Gitea 
- Add HMAC-SHA256 signature verification for webhooks
- Support multiple secrets for rotation
- Add security logging for authentication events
- Maintain backward compatibility (auth optional during migration)
- Add comprehensive test coverage

Without authentication, anyone could trigger job evaluations by sending
POST requests to webhook endpoints. This could lead to resource exhaustion
through repeated requests or manipulation of build scheduling. While not
a data breach risk, it allows unauthorized control over CI/CD operations.
 2025-09-07 22:48:40 -04:00
Janne Heß
4d2d0f9722 templates: Hopefully escape all template inputs 2025-09-07 22:48:40 -04:00
Janne Heß
4125de8208 templates: Make whitespace in [% %] consistent 2025-09-07 22:48:40 -04:00
Janne Heß
06c6bd1b7b templates: Use HTML.attributes for all links 2025-09-07 22:48:40 -04:00
Janne Heß
bb78a58ea2 build: Properly escape all input values 2025-09-07 22:48:40 -04:00
Janne Heß
0764b1f48c product-list: Escape untrusted values 2025-09-07 22:48:40 -04:00
Janne Heß
5014274c99 hydra-queue-runner: Validate metric type 2025-09-07 22:48:40 -04:00
Janne Heß
8f3fdc14d8 hydra-queue-runner: Validate hydra-metrics unit 2025-09-07 22:48:40 -04:00
Janne Heß
74d923441e hydra-queue-runner: Validate metric name in hydra-metrics 2025-09-07 22:48:40 -04:00
Janne Heß
9396846892 hydra-queue-runner: Validate release name 2025-09-07 22:48:40 -04:00
Janne Heß
252801cea8 hydra-queue-runner: Verify product names in hydra-build-products 2025-09-07 22:48:40 -04:00
Janne Heß
21a75982aa hydra-queue-runner: Fix potential UB 
Removing two characters from a string when it starts with " can lead to
a substring call with -1
 2025-09-07 22:48:40 -04:00
Janne Heß
3eeba86a87 hydra-queue-runner: Fix crash when < > are in hydra-build-products 
This prevents a forever-hanging build (don't know why) when < or > are
in the path of hydra-build-products. This is not to prevent any XSS (see
next commits), just to prevent the DOS (if you can even call it that).
 2025-09-07 22:48:40 -04:00
Jörg Thalheim
b295744323 package.nix: fix PATH for devshell 
We don't install scripts to build so this must point to src
 2025-09-07 22:48:40 -04:00
Jörg Thalheim
ed939f44f4 ci: also build on aarch64-linux 2025-09-07 22:48:40 -04:00
Jörg Thalheim
a44d946e09 cache build with the magic nix cache 2025-09-07 22:48:40 -04:00
Jörg Thalheim
64e05c24e2 queue-runner: Add missing signal.h include for SIGINT and kill() 2025-09-07 22:48:40 -04:00
Jörg Thalheim
5187992c94 Migrate from deprecated notification_receiver to connection::listen() 
libpqxx 7.10.1 deprecates the notification_receiver class.
 2025-09-07 22:48:40 -04:00
Jörg Thalheim
aee4e406e9 Fix libpqxx 7.10.1 API compatibility 
- Replace deprecated exec_params/exec_params0 calls with exec()
- Wrap all parameterized queries with pqxx::params{}
- Add .no_rows()/.one_row() to exec calls that don't return results
 2025-09-07 22:48:40 -04:00
Jörg Thalheim
44b007c167 hydra-eval-jobs: unset NIX_PATH 2025-09-07 22:48:40 -04:00
Jörg Thalheim
b0ccc5aa49 docs/hacking: document how to run single tests 2025-09-07 22:48:40 -04:00
Janne Heß
6ea6d8fc70 machine-status: Fixup double localhost during development 2025-09-07 22:48:40 -04:00
Janne Heß
bfd2a4c4f9 machine-status: Make new runner status prettier 
- Remove bottom margin
- Properly format memory in human format
- Calculate free memory
- Format the load with 2 digits after comma
- Lpad pressure percentages
- Use a macro to render pressure
- Score -> Scheduling Score
- More spacing in the load
- Add IRQ pressure
 2025-09-07 22:48:40 -04:00
Janne Heß
ea2024a9bc machine-status: Render new queue runner details 2025-09-07 22:48:40 -04:00
Janne Heß
81d278fe5b Remove useless previous eval message 
This message serves no purpose and looks like something went wrong.
There is nothing wrong, there is just no previous evaluation.
 2025-09-07 22:48:40 -04:00
Janne Heß
5bb8da7280 Fix the evaluator not finding hydra-eval-jobset 2025-09-07 22:48:40 -04:00
Janne Heß
15e742c8c2 Fixup static libraries in development server 2025-09-07 22:48:40 -04:00
Janne Heß
f9d7629f95 Fix meson and ninja commands and link bootstrap 2025-09-07 22:48:40 -04:00
Janne Heß
6eeb08fc0a Add nix-direnv 2025-09-07 22:48:40 -04:00
Janne Heß
c396bc958f Document how to connect to postgres 2025-09-07 22:48:40 -04:00
Andreas Rammhold
60876ef897 Add Queue Runner Status to the topbar 
I've been searching for this waaay too often in the past and I simply do not see a reason not to include it in the topbar by default.
 2025-09-07 22:48:40 -04:00
Janne Heß
83db317594 Fix PATH for the foreman scripts 2025-09-07 22:48:40 -04:00
Janne Heß
dc6fd37e02 Show queue runner v2 status 
This is guarded behind a setting and will overwrite everything that was
learned from the machines file. Also drops `sshKeys` since that wasn't
used anyway.
 2025-09-07 22:48:40 -04:00
Ivor Wanders
16bb3aad9a Add a link to the raw log. 2025-09-07 22:48:40 -04:00
Sandro
710092c556 module: sync with nixpkgs 2025-09-07 22:48:40 -04:00