Started by GitHub push by ti-chi-bot[bot]Started by GitHub push by ti-chi-bot[bot]00200862008643215432151.00653565351611bbfd59ceb879c0cf98ae905135f25d05824d2aaabbfd59ceb879c0cf98ae905135f25d05824d2aaaorigin/mainbbfd59ceb879c0cf98ae905135f25d05824d2aaabbfd59ceb879c0cf98ae905135f25d05824d2aaaorigin/mainbbfd59ceb879c0cf98ae905135f25d05824d2aaabbfd59ceb879c0cf98ae905135f25d05824d2aaaorigin/mainhttps://github.com/PingCAP-QE/ci.gitfalse#16114321544870seed #16111611falsefalse16113665215SUCCESS1776077707144https://do.pingcap.net/jenkins/job/seed/1611/default-cqg55pipelines/pingcap/tidb/release-8.5/pull_unit_test_ddlv1.groovypipelines/pingcap/tidb/release-8.3/pull_unit_test.groovypipelines/pingcap/tidb/release-7.3/ghpr_check.groovypipelines/pingcap-inc/tidb/release-8.5/pull_unit_test_ddlv1.groovypipelines/pingcap/tidb/release-7.1/ghpr_unit_test.groovypipelines/pingcap/tidb/release-8.5/pull_build.groovypipelines/pingcap/tidb/release-8.2/pull_unit_test.groovypipelines/pingcap/tidb/release-7.2/ghpr_build.groovypipelines/pingcap/tidb/release-8.5/pull_check.groovypipelines/pingcap/tiflash/release-9.0-beta/pull_integration_test.groovypipelines/pingcap/tidb/release-8.0/ghpr_check.groovypipelines/pingcap/tidb/release-9.0-beta/pull_unit_test.groovypipelines/pingcap/tidb/release-7.1/ghpr_build.groovypipelines/pingcap/tidb/release-7.5/ghpr_check.groovypipelines/pingcap/tidb/release-7.3/ghpr_unit_test.groovypipelines/pingcap/tidb/release-7.2/ghpr_unit_test.groovypipelines/pingcap/tidb/release-8.4/pull_check.groovypipelines/pingcap/tidb/release-7.6/ghpr_build.groovypipelines/pingcap/tidb/release-9.0-beta/pull_unit_test_ddlv1.groovypipelines/pingcap/tidb/release-7.4/ghpr_check.groovypipelines/pingcap/tidb/release-7.6/ghpr_check.groovypipelines/pingcap/tidb/release-8.1/ghpr_build.groovypipelines/pingcap/tiflash/latest/pull_unit_next_gen.groovypipelines/pingcap/tidb/release-8.3/pull_check.groovypipelines/pingcap/tidb/release-8.0/ghpr_unit_test.groovypipelines/pingcap/tidb/release-7.6/ghpr_unit_test.groovypipelines/pingcap-inc/tidb/release-8.5/pull_check.groovypipelines/pingcap/tidb/release-7.5/ghpr_unit_test.groovypipelines/pingcap/tidb/release-8.2/pull_build.groovypipelines/pingcap/tiflash/latest/pull_unit_test.groovypipelines/pingcap/tidb/release-9.0-beta/pull_build.groovypipelines/pingcap/tiflash/latest/pull_integration_test.groovypipelines/pingcap/tidb/latest/pull_integration_e2e_test_next_gen/pipeline.groovypipelines/pingcap/tiflash/latest/pull_integration_next_gen.groovypipelines/pingcap-inc/tidb/release-8.5/pull_build.groovypipelines/pingcap/tidb/release-7.5/ghpr_build.groovypipelines/pingcap/tidb/release-8.0/ghpr_build.groovypipelines/pingcap/tidb/release-8.1/ghpr_check.groovypipelines/pingcap/tidb/release-7.4/ghpr_unit_test.groovypipelines/pingcap/tidb/release-8.2/pull_check.groovypipelines/pingcap/tidb/release-8.4/pull_build.groovypipelines/pingcap/tidb/release-7.2/ghpr_check.groovypipelines/pingcap/tidb/release-8.5/pull_unit_test.groovypipelines/pingcap/tidb/release-7.4/ghpr_build.groovypipelines/pingcap/tiflash/release-9.0-beta/pull_unit_test.groovypipelines/pingcap-inc/tidb/release-8.5/pull_unit_test.groovypipelines/pingcap/tidb/release-8.4/pull_unit_test.groovypipelines/pingcap/tidb/release-8.3/pull_build.groovypipelines/pingcap/tidb/release-9.0-beta/pull_check.groovypipelines/pingcap/tidb/release-8.1/ghpr_unit_test.groovypipelines/pingcap/tidb/release-7.1/ghpr_check.groovypipelines/pingcap/tidb/release-7.3/ghpr_build.groovybbfd59ceb879c0cf98ae905135f25d05824d2aaa1776077676000https://do.pingcap.net/jenkins/user/noreplynoreplynoreply@github.comsecurity: avoid persisting GitHub SSH keys in PR pipelines (#4477) ## Summary - remove `git.setSshKey(GIT_CREDENTIALS_ID)` from PR / ghpr pipelines that run untrusted repository code - keep private-repo access scoped to the checkout step via `prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)` - switch the affected TiFlash PR pipelines from empty checkout credentials to checkout-scoped SSH credentials so submodule/private fetch still works without leaving a reusable key on disk ## Risk Being Fixed The audited PR pipelines cloned private repositories or private submodules with the `github-sre-bot-ssh` credential and then persisted the SSH private key into `~/.ssh/id_rsa` via `git.setSshKey()`. Once that happened, build/test scripts coming from the target PR repository could reuse the same key to: - print or copy the key material - clone additional private repositories - push new refs or delete remote refs that the key can access This PR removes that persistent-key path from PR jobs and narrows credential availability to the checkout helper's `sshagent` scope. ## Audit Notes Confirmed safe patterns that were left unchanged: - `prow.checkoutRefs(..., credentialsId = GIT_CREDENTIALS_ID, ...)` because it scopes SSH auth to the checkout helper - `component.checkout(...)` / `checkoutPRWithPreMerge(...)` because they use Jenkins checkout or `sshagent` during checkout only - legacy `jenkins/` GitSCM checkouts that use `credentialsId` without copying keys into `~/.ssh/id_rsa` ## Validation - `git diff --check` - verified no PR / ghpr pipeline under `pipelines/` still contains `git.setSshKey(...)` - verified the TiFlash PR jobs that previously relied on `git.setSshKey()` now use checkout-scoped credentials instead of `credentialsId = ''` ## Scope This intentionally updates PR / ghpr pipelines only. Remaining `git.setSshKey()` usage is in merged / trusted jobs and can be reviewed separately if we want to remove that pattern repo-wide later. 2026-04-13 10:54:36 +0000bbfd59ceb879c0cf98ae905135f25d05824d2aaasecurity: avoid persisting GitHub SSH keys in PR pipelines (#4477)editpipelines/pingcap/tidb/release-7.5/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-7.2/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-7.4/ghpr_build.groovyeditpipelines/pingcap/tidb/release-8.5/pull_build.groovyeditpipelines/pingcap/tiflash/latest/pull_unit_next_gen.groovyeditpipelines/pingcap/tidb/release-7.4/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-8.0/ghpr_check.groovyeditpipelines/pingcap/tiflash/latest/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-8.0/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-7.6/ghpr_check.groovyeditpipelines/pingcap/tidb/release-8.4/pull_check.groovyeditpipelines/pingcap/tidb/release-8.3/pull_check.groovyeditpipelines/pingcap/tiflash/latest/pull_integration_test.groovyeditpipelines/pingcap-inc/tidb/release-8.5/pull_build.groovyeditpipelines/pingcap/tidb/release-7.3/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-8.1/ghpr_build.groovyeditpipelines/pingcap/tidb/release-8.3/pull_build.groovyeditpipelines/pingcap/tiflash/latest/pull_integration_next_gen.groovyeditpipelines/pingcap/tidb/release-7.6/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-7.1/ghpr_check.groovyeditpipelines/pingcap-inc/tidb/release-8.5/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-8.0/ghpr_build.groovyeditpipelines/pingcap/tidb/release-7.2/ghpr_check.groovyeditpipelines/pingcap/tidb/release-8.2/pull_unit_test.groovyeditpipelines/pingcap/tidb/latest/pull_integration_e2e_test_next_gen/pipeline.groovyeditpipelines/pingcap/tidb/release-7.3/ghpr_build.groovyeditpipelines/pingcap/tidb/release-9.0-beta/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-7.3/ghpr_check.groovyeditpipelines/pingcap-inc/tidb/release-8.5/pull_unit_test_ddlv1.groovyeditpipelines/pingcap/tidb/release-9.0-beta/pull_unit_test_ddlv1.groovyeditpipelines/pingcap/tidb/release-9.0-beta/pull_check.groovyeditpipelines/pingcap/tidb/release-8.2/pull_check.groovyeditpipelines/pingcap/tidb/release-8.5/pull_unit_test_ddlv1.groovyeditpipelines/pingcap/tidb/release-7.2/ghpr_build.groovyeditpipelines/pingcap/tidb/release-7.5/ghpr_build.groovyeditpipelines/pingcap/tiflash/release-9.0-beta/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-8.5/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-8.3/pull_unit_test.groovyeditpipelines/pingcap/tiflash/release-9.0-beta/pull_integration_test.groovyeditpipelines/pingcap/tidb/release-8.4/pull_build.groovyeditpipelines/pingcap/tidb/release-9.0-beta/pull_build.groovyeditpipelines/pingcap/tidb/release-7.6/ghpr_build.groovyeditpipelines/pingcap-inc/tidb/release-8.5/pull_check.groovyeditpipelines/pingcap/tidb/release-8.2/pull_build.groovyeditpipelines/pingcap/tidb/release-8.5/pull_check.groovyeditpipelines/pingcap/tidb/release-7.1/ghpr_build.groovyeditpipelines/pingcap/tidb/release-8.4/pull_unit_test.groovyeditpipelines/pingcap/tidb/release-7.1/ghpr_unit_test.groovyeditpipelines/pingcap/tidb/release-7.4/ghpr_check.groovyeditpipelines/pingcap/tidb/release-7.5/ghpr_check.groovyeditpipelines/pingcap/tidb/release-8.1/ghpr_check.groovyeditpipelines/pingcap/tidb/release-8.1/ghpr_unit_test.groovygithttps://do.pingcap.net/jenkins/user/noreplynoreply