Jenkins and script approval. One word. Nazis.

Maybe I'm the only one who's been having problems with the Jenkins Pipeline Plugin. Maybe I'm the only one who pounded away at my keyboard for three hours trying to find out why I couldn't get the name of the user who initiate the pipeline.

This piece of code. This one terrible piece of code


By default, Groovy sandboxing is turned on when you work on a pipeline job and when that happens, the compiler only lets through code that is either safe (which translates to Does Nothing) or else is approved by an administrator.

That all sounds good. That all sounds like a great way to control these jobs, and ensure good quality in the jobs.


But the approval process is a mess if you don't turn off Groovy sandboxing. Because Jenkins won't allow you to run the script with unapproved code, and Jenkins won't allow you to approve code without running the script first.

It gets better: Jenkins runs a job until it finds an unapproved action, after which it stops, and demands that you approve the action first.

In the example above, accessing the rawBuild variable is considered unsafe, so you have to approve it first. But the method getCauses() is also unsafe, but it won't bother to tell you that it's unsafe. Which means that you spend your morning doing things like this:
  • Write the code
  • Run the jenkins - it fails
  • Go to the Script Approval page and approve the use of rawBuild
  • Run the jenkins - it fails
  • Go to the Script Approval page and approve the use of getCauses()
This is how revolutions begin. Little things like that make us take up arms against our oppressor. Just saying.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)