Added monitor for release jenkins agents #262
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| name: "⚙️ Monitor Jenkins Release CI" | ||
| on: | ||
| schedule: | ||
| # Run every hour | ||
| - cron: "21 * * * *" | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: none | ||
| issues: write | ||
| packages: none | ||
|
|
||
| jobs: | ||
| security-scoring: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Jenkins Alert and Reporting | ||
| uses: UlisesGascon/jenkins-status-alerts-and-reporting@v1.3.0 | ||
| id: jenkins-status-alerts-and-reporting | ||
| with: | ||
| database: monitor-release/database.json | ||
| jenkins-domain: 'ci.nodejs.org' | ||
| jenkins-username: ${{ secrets.JENKINS_RELEASE_USERNAME }} | ||
| jenkins-token: ${{ secrets.JENKINS_RELEASE_TOKEN }} | ||
| # Issues | ||
| generate-issue: true | ||
| issue-assignees: 'UlisesGascon' | ||
|
There was a problem hiding this comment. @richardlau not sure if makes sense to assign the issues to me, as I can't access to that Jenkins. There was a problem hiding this comment. I'm hoping that won't be the case for long 🙂. There was a problem hiding this comment. What level of access does the token give to the release jenkins instance? Just want to understand what the potential security impact might be. There was a problem hiding this comment. @mhdawson AFAIK we currently do not have a token with access to the release Jenkins instance. There was a problem hiding this comment. @richardlau right, but I think this would require one. I'm trying to understand what the risk of having a token with access to the release Jenkins in a public GitHub repo is. There was a problem hiding this comment. I think that we can limit the surface if we use read-only tokens. Not sure how much granularity (limit to compute) Jenkins offers currently for this. There was a problem hiding this comment. Depending on how we can limit the tokens we might also want to have the actions run in a private repo? |
||
| issue-labels: 'potential-incident,release-ci' | ||
| create-issues-for-new-offline-nodes: false | ||
| auto-close-issue: true | ||
| disk-alert-level: 90 | ||
| # Report | ||
| report: monitor-release/jenkins-report.md | ||
| report-tags-enabled: false | ||
| # Git changes | ||
| auto-commit: true | ||
| auto-push: true | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| # - name: Print the Computers | ||
| # run: | | ||
| # echo '${{ steps.jenkins-status-alerts-and-reporting.outputs.computers }}' | ||
Uh oh!
There was an error while loading. Please reload this page.