{ "_class" : "hudson.model.FreeStyleBuild", "actions" : [ { "_class" : "hudson.model.CauseAction", "causes" : [ { "_class" : "com.cloudbees.jenkins.GitHubPushCause", "shortDescription" : "Started by GitHub push by ti-chi-bot[bot]" }, { "_class" : "com.cloudbees.jenkins.GitHubPushCause", "shortDescription" : "Started by GitHub push by ti-chi-bot[bot]" } ] }, { }, { "_class" : "jenkins.metrics.impl.TimeInQueueAction", "blockedDurationMillis" : 0, "blockedTimeMillis" : 0, "buildableDurationMillis" : 20086, "buildableTimeMillis" : 20086, "buildingDurationMillis" : 43215, "executingTimeMillis" : 43215, "executorUtilization" : 1.0, "subTaskCount" : 0, "waitingDurationMillis" : 6535, "waitingTimeMillis" : 6535 }, { "_class" : "hudson.plugins.git.util.BuildData", "buildsByBranchName" : { "origin/main" : { "_class" : "hudson.plugins.git.util.Build", "buildNumber" : 1611, "buildResult" : null, "marked" : { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "branch" : [ { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "name" : "origin/main" } ] }, "revision" : { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "branch" : [ { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "name" : "origin/main" } ] } } }, "lastBuiltRevision" : { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "branch" : [ { "SHA1" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "name" : "origin/main" } ] }, "remoteUrls" : [ "https://github.com/PingCAP-QE/ci.git" ], "scmName" : "" }, { }, { }, { }, { }, { }, { }, { "_class" : "org.jenkinsci.plugins.displayurlapi.actions.RunDisplayAction" } ], "artifacts" : [ ], "building" : false, "description" : null, "displayName" : "#1611", "duration" : 43215, "estimatedDuration" : 44870, "executor" : null, "fullDisplayName" : "seed #1611", "id" : "1611", "inProgress" : false, "keepLog" : false, "number" : 1611, "queueId" : 3665215, "result" : "SUCCESS", "timestamp" : 1776077707144, "url" : "https://do.pingcap.net/jenkins/job/seed/1611/", "builtOn" : "default-cqg55", "changeSet" : { "_class" : "hudson.plugins.git.GitChangeSetList", "items" : [ { "_class" : "hudson.plugins.git.GitChangeSet", "affectedPaths" : [ "pipelines/pingcap/tidb/release-8.5/pull_unit_test_ddlv1.groovy", "pipelines/pingcap/tidb/release-8.3/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-7.3/ghpr_check.groovy", "pipelines/pingcap-inc/tidb/release-8.5/pull_unit_test_ddlv1.groovy", "pipelines/pingcap/tidb/release-7.1/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-8.5/pull_build.groovy", "pipelines/pingcap/tidb/release-8.2/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-7.2/ghpr_build.groovy", "pipelines/pingcap/tidb/release-8.5/pull_check.groovy", "pipelines/pingcap/tiflash/release-9.0-beta/pull_integration_test.groovy", "pipelines/pingcap/tidb/release-8.0/ghpr_check.groovy", "pipelines/pingcap/tidb/release-9.0-beta/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-7.1/ghpr_build.groovy", "pipelines/pingcap/tidb/release-7.5/ghpr_check.groovy", "pipelines/pingcap/tidb/release-7.3/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-7.2/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-8.4/pull_check.groovy", "pipelines/pingcap/tidb/release-7.6/ghpr_build.groovy", "pipelines/pingcap/tidb/release-9.0-beta/pull_unit_test_ddlv1.groovy", "pipelines/pingcap/tidb/release-7.4/ghpr_check.groovy", "pipelines/pingcap/tidb/release-7.6/ghpr_check.groovy", "pipelines/pingcap/tidb/release-8.1/ghpr_build.groovy", "pipelines/pingcap/tiflash/latest/pull_unit_next_gen.groovy", "pipelines/pingcap/tidb/release-8.3/pull_check.groovy", "pipelines/pingcap/tidb/release-8.0/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-7.6/ghpr_unit_test.groovy", "pipelines/pingcap-inc/tidb/release-8.5/pull_check.groovy", "pipelines/pingcap/tidb/release-7.5/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-8.2/pull_build.groovy", "pipelines/pingcap/tiflash/latest/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-9.0-beta/pull_build.groovy", "pipelines/pingcap/tiflash/latest/pull_integration_test.groovy", "pipelines/pingcap/tidb/latest/pull_integration_e2e_test_next_gen/pipeline.groovy", "pipelines/pingcap/tiflash/latest/pull_integration_next_gen.groovy", "pipelines/pingcap-inc/tidb/release-8.5/pull_build.groovy", "pipelines/pingcap/tidb/release-7.5/ghpr_build.groovy", "pipelines/pingcap/tidb/release-8.0/ghpr_build.groovy", "pipelines/pingcap/tidb/release-8.1/ghpr_check.groovy", "pipelines/pingcap/tidb/release-7.4/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-8.2/pull_check.groovy", "pipelines/pingcap/tidb/release-8.4/pull_build.groovy", "pipelines/pingcap/tidb/release-7.2/ghpr_check.groovy", "pipelines/pingcap/tidb/release-8.5/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-7.4/ghpr_build.groovy", "pipelines/pingcap/tiflash/release-9.0-beta/pull_unit_test.groovy", "pipelines/pingcap-inc/tidb/release-8.5/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-8.4/pull_unit_test.groovy", "pipelines/pingcap/tidb/release-8.3/pull_build.groovy", "pipelines/pingcap/tidb/release-9.0-beta/pull_check.groovy", "pipelines/pingcap/tidb/release-8.1/ghpr_unit_test.groovy", "pipelines/pingcap/tidb/release-7.1/ghpr_check.groovy", "pipelines/pingcap/tidb/release-7.3/ghpr_build.groovy" ], "commitId" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "timestamp" : 1776077676000, "author" : { "absoluteUrl" : "https://do.pingcap.net/jenkins/user/noreply", "fullName" : "noreply" }, "authorEmail" : "noreply@github.com", "comment" : "security: avoid persisting GitHub SSH keys in PR pipelines (#4477)\u000a\u000a## Summary\u000a- remove `git.setSshKey(GIT_CREDENTIALS_ID)` from PR / ghpr pipelines\u000athat run untrusted repository code\u000a- keep private-repo access scoped to the checkout step via\u000a`prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)`\u000a- switch the affected TiFlash PR pipelines from empty checkout\u000acredentials to checkout-scoped SSH credentials so submodule/private\u000afetch still works without leaving a reusable key on disk\u000a\u000a## Risk Being Fixed\u000aThe audited PR pipelines cloned private repositories or private\u000asubmodules with the `github-sre-bot-ssh` credential and then persisted\u000athe SSH private key into `~/.ssh/id_rsa` via `git.setSshKey()`.\u000a\u000aOnce that happened, build/test scripts coming from the target PR\u000arepository could reuse the same key to:\u000a- print or copy the key material\u000a- clone additional private repositories\u000a- push new refs or delete remote refs that the key can access\u000a\u000aThis PR removes that persistent-key path from PR jobs and narrows\u000acredential availability to the checkout helper's `sshagent` scope.\u000a\u000a## Audit Notes\u000aConfirmed safe patterns that were left unchanged:\u000a- `prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)`\u000abecause it scopes SSH auth to the checkout helper\u000a- `component.checkout(...)` / `checkoutPRWithPreMerge(...)` because they\u000ause Jenkins checkout or `sshagent` during checkout only\u000a- legacy `jenkins/` GitSCM checkouts that use `credentialsId` without\u000acopying keys into `~/.ssh/id_rsa`\u000a\u000a## Validation\u000a- `git diff --check`\u000a- verified no PR / ghpr pipeline under `pipelines/` still contains\u000a`git.setSshKey(...)`\u000a- verified the TiFlash PR jobs that previously relied on\u000a`git.setSshKey()` now use checkout-scoped credentials instead of\u000a`credentialsId = ''`\u000a\u000a## Scope\u000aThis intentionally updates PR / ghpr pipelines only. Remaining\u000a`git.setSshKey()` usage is in merged / trusted jobs and can be reviewed\u000aseparately if we want to remove that pattern repo-wide later.\u000a", "date" : "2026-04-13 10:54:36 +0000", "id" : "bbfd59ceb879c0cf98ae905135f25d05824d2aaa", "msg" : "security: avoid persisting GitHub SSH keys in PR pipelines (#4477)", "paths" : [ { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.5/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.2/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.4/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.5/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/latest/pull_unit_next_gen.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.4/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.0/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/latest/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.0/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.6/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.4/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.3/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/latest/pull_integration_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap-inc/tidb/release-8.5/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.3/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.1/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.3/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/latest/pull_integration_next_gen.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.6/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.1/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap-inc/tidb/release-8.5/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.0/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.2/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.2/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/latest/pull_integration_e2e_test_next_gen/pipeline.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.3/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-9.0-beta/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.3/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap-inc/tidb/release-8.5/pull_unit_test_ddlv1.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-9.0-beta/pull_unit_test_ddlv1.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-9.0-beta/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.2/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.5/pull_unit_test_ddlv1.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.2/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.5/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/release-9.0-beta/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.5/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.3/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tiflash/release-9.0-beta/pull_integration_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.4/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-9.0-beta/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.6/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap-inc/tidb/release-8.5/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.2/pull_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.5/pull_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.1/ghpr_build.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.4/pull_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.1/ghpr_unit_test.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.4/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-7.5/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.1/ghpr_check.groovy" }, { "editType" : "edit", "file" : "pipelines/pingcap/tidb/release-8.1/ghpr_unit_test.groovy" } ] } ], "kind" : "git" }, "culprits" : [ { "absoluteUrl" : "https://do.pingcap.net/jenkins/user/noreply", "fullName" : "noreply" } ] }