Merge pull request #3 from wcm-io-devops/feature/2.138.1-1

Updates for 2.138.1 with workflow-support 1.18+ and script security 1.44+

README.md

@@ -8,6 +8,9 @@ This role installs all necessary plugins in specific versions which
 ensures that the shared pipeline library is always running with the
 latest compatible plugins.
 
+:exclamation: Starting with version 2.138.1-1 the role will also
+configure the script security to allow some signatures!
+
 Optionally the role also directly setups a Jenkins instance using [geerlingguy.jenkins](https://github.com/geerlingguy/ansible-role-jenkins).
 
 ## Versioning
@@ -100,6 +103,11 @@ When set to enable the role will log some debug information.
 Plugins and their versions that must be present for
 jenkins-pipeline-library.
 
+    jenkins_pipeline_library_approved_signatures_present:
+
+Signatures that need to be approved for jenkins-pipeline-library,
+otherwise the signatures will be blocked by script-security.
+
 :bulb: Since this list is long please refer to
 [defaults](defaults/main.yaml)
 
@@ -114,6 +122,16 @@ This role depends on the
 role to install/uninstall the plugins needed by the
 [jenkins-pipeline-library](https://github.com/wcm-io-devops/jenkins-pipeline-library)
 
+In order to allow to run the
+[jenkins-pipeline-library](https://github.com/wcm-io-devops/jenkins-pipeline-library)
+with the Pipeline Supporting APIs 1.18+ (workflow-support) and with
+Script Security ( script-security) 1.44+ this role also depends on
+[wcm_io_devops.jenkins_script_plugin](https://github.com/wcm-io-devops/ansible-jenkins-script-security)
+for whitelisting some signatures in the Groovy Sandbox.
+
+For installing a Jenkins on the target instance the role is using
+[geerlingguy.jenkins](https://github.com/geerlingguy/ansible-role-jenkins).
+
 As transitive dependency this role uses the
 [wcm_io_devops.jenkins_facts](https://github.com/wcm-io-devops/ansible-jenkins-facts)
 role to retrieve the list of installed plugins from the Jenkins

defaults/main.yaml

@@ -1,5 +1,5 @@
 # The version of the jenkins when it is installed with the jenkins role dependency
-jenkins_pipeline_library_jenkins_version: 2.121.3
+jenkins_pipeline_library_jenkins_version: 2.138.1
 
 # Controls if the jenkins will be installed by the jenkins role dependency
 jenkins_pipeline_library_jenkins_install: false
@@ -57,9 +57,9 @@ jenkins_pipeline_library_plugins_present:
   - name: branch-api
     version: "2.0.20"
   - name: cloudbees-folder
-    version: "6.5.1"
+    version: "6.6"
   - name: config-file-provider
-    version: "2.18"
+    version: "3.1"
   - name: credentials
     version: "2.1.18"
   - name: credentials-binding
@@ -83,7 +83,7 @@ jenkins_pipeline_library_plugins_present:
   - name: jackson2-api
     version: "2.8.11.3"
   - name: junit
-    version: "1.24"
+    version: "1.25"
   - name: jquery-detached
     version: "1.2.1"
   - name: jsch
@@ -113,17 +113,17 @@ jenkins_pipeline_library_plugins_present:
   - name: pipeline-model-declarative-agent
     version: "1.1.1"
   - name: pipeline-model-definition
-    version: "1.3.1"
+    version: "1.3.2"
   - name: pipeline-model-api
-    version: "1.3.1"
+    version: "1.3.2"
   - name: pipeline-model-extensions
-    version: "1.3.1"
+    version: "1.3.2"
   - name: pipeline-rest-api
     version: "2.10"
   - name: pipeline-stage-step
     version: "2.3"
   - name: pipeline-stage-tags-metadata
-    version: "1.3.1"
+    version: "1.3.2"
   - name: pipeline-stage-view
     version: "2.10"
   - name: pipeline-utility-steps
@@ -136,7 +136,7 @@ jenkins_pipeline_library_plugins_present:
     version: "2.2.7"
     # 1.44 causes stack overflows with pipeline library
   - name: script-security
-    version: "1.43"
+    version: "1.46"
   - name: ssh-credentials
     version: "1.14"
   - name: structs
@@ -146,26 +146,52 @@ jenkins_pipeline_library_plugins_present:
   - name: workflow-api
     version: "2.29"
   - name: workflow-basic-steps
-    version: "2.10"
+    version: "2.11"
   - name: workflow-cps
-    version: "2.54"
+    version: "2.55"
   - name: workflow-cps-global-lib
-    version: "2.10"
-    # do not upgrade, workflow-support 2.18+ is required, which can not be upgraded
+    version: "2.11"
   - name: workflow-durable-task-step
-    version: "2.19"
-    # do not upgrade, workflow-support 2.18+ is required, which can not be upgraded
+    version: "2.21"
   - name: workflow-job
-    version: "2.23"
+    version: "2.25"
   - name: workflow-multibranch
     version: "2.20"
   - name: workflow-scm-step
     version: "2.6"
   - name: workflow-step-api
     version: "2.16"
-    # do not upgrade further than 2.17, see: https://issues.jenkins-ci.org/browse/JENKINS-49597
   - name: workflow-support
-    version: "2.17"
+    version: "2.20"
 
 # Plugins that must be absent for jenkins-pipeline-library
 jenkins_pipeline_library_plugins_absent: []
+
+# Signatures that need to be approved for jenkins-pipeline-library
+jenkins_pipeline_library_approved_signatures_present:
+  # enable marking stage as skipped
+  - staticMethod org.jenkinsci.plugins.pipeline.modeldefinition.Utils markStageSkippedForConditional java.lang.String
+  # whitelisting for logging package
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ALL
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEBUG
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel INFO
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEPRECATED
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel WARN
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ERROR
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel FATAL
+  - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel NONE
+  - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromString java.lang.String
+  - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromInteger java.lang.Integer
+  - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel $INIT java.lang.Object[]
+  - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.Logger getClassName java.lang.Object
+  - field io.wcm.devops.jenkins.pipeline.utils.logging.Logger name
+  - new io.wcm.devops.jenkins.pipeline.utils.logging.Logger java.lang.Object
+  - new io.wcm.devops.jenkins.pipeline.utils.TypeUtils
+  # versioning package whitelisting
+  - field io.wcm.devops.jenkins.pipeline.versioning.IntegerItem INTEGER_ZER0
+  - new io.wcm.devops.jenkins.pipeline.versioning.IntegerItem
+  - staticField io.wcm.devops.jenkins.pipeline.versioning.StringItem _QUALIFIERS
+  # native java function whitelisting
+  - method java.util.List indexOf java.lang.Object
+  - new java.util.ArrayList

meta/main.yml

@@ -46,3 +46,14 @@ dependencies:
       jenkins_plugins_present: "{{ jenkins_pipeline_library_plugins_present }}",
       jenkins_plugins_absent: "{{ jenkins_pipeline_library_plugins_absent }}",
    }
+  # configure script security for jenkins-pipeline-library
+  - { role: wcm_io_devops.jenkins_script_security,
+      version: 1.0.0,
+      jenkins_script_security_admin_username: "{{ jenkins_pipeline_library_admin_username }}",
+      jenkins_script_security_admin_password: "{{ jenkins_pipeline_library_admin_password }}",
+      jenkins_script_security_jenkins_home: "{{ jenkins_pipeline_library_jenkins_home }}",
+      jenkins_script_security_jenkins_hostname: "{{ jenkins_pipeline_library_jenkins_hostname }}",
+      jenkins_script_security_jenkins_port: "{{ jenkins_pipeline_library_jenkins_port }}",
+      jenkins_script_security_jenkins_url_prefix: "{{ jenkins_pipeline_library_jenkins_url_prefix }}",
+      jenkins_script_security_approved_signatures_present: "{{ jenkins_pipeline_library_approved_signatures_present }}"
+    }

tests/requirements.yml

@@ -4,5 +4,7 @@
   version: master
 - name: wcm_io_devops.jenkins_plugins
   version: master
+- name: wcm_io_devops.jenkins_script_security
+  version: master
 - name: geerlingguy.jenkins
   version: 3.5.0