Consider better separation of public CI validation and release infrastructure #243
Assignees
Comments
retronym
changed the title
|
most of our publishing is now Travis-CI based the remaining exception is publishing of PR validation snapshots. we're taking that up at scala/scala-dev#507 we're also using jenkins-windows-worker-publish for Windows testing, moving to AppVeyor is scala/scala-dev#508 once those tickets are completed, we could decommission the publishing nodes and close down this ticket. |
|
this remains blocked on figuring out how to securely allow pull requests from forks to have publishing secrets but in any case any new solution will not be Jenkins-based |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While we're beefing up the security of our Jenkins install, it occurred to me that we should probably run two Jenkins installs: one that does all the stuff that only needs the "public" nodes, and another that does the releases and needs the "publish" node, which has some secrets to protect. We could place that private Jenkins behind a VPN, rather than expose it directly to the internet.
This would protect us better from vulnerabilities in Jenkins (or our configuration of it).
The text was updated successfully, but these errors were encountered: