You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mention checkout refs in context expression restriction example
Pipelines can use different sources for checkout and for config. When
this is the case, both of these need to be restricted for the context to
be protected from unreviewed code, or unreviewed config.
Copy file name to clipboardExpand all lines: docs/guides/modules/security/pages/contexts.adoc
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -245,18 +245,19 @@ You must be an *organization admin* to remove projects from contexts though the
245
245
[#expression-restrictions]
246
246
== Expression restrictions
247
247
248
-
Restrict contexts by setting up _expression restrictions_. Expression restrictions are rules that xref:orchestrate:pipeline-variables.adoc#pipeline-values[pipeline values] must match. Using expression restrictions allows you to create arbitrary constraints on the circumstances in which a context is available for use. For example, you may have a context containing credentials that should only be used for deploying your code from your protected `main` branch:
248
+
Restrict contexts by setting up _expression restrictions_. Expression restrictions are rules that xref:orchestrate:pipeline-variables.adoc#pipeline-values[pipeline values] must match. Using expression restrictions allows you to create arbitrary constraints on the circumstances in which a context is available for use. For example, you may have a context containing credentials that should only be used for deploying your code from your protected `main` branch. You also want to make sure that the config is from a protected `main` branch for any triggers that use a different checkout and config source:
249
249
250
250
[source]
251
251
----
252
-
pipeline.git.branch == "main" and not job.ssh.enabled and not (pipeline.config_source starts-with "api"")
252
+
pipeline.git.branch == "main" and pipeline.config.ref == "refs/heads/main" and not job.ssh.enabled and not (pipeline.config_source starts-with "api"")
253
253
----
254
254
255
255
Tabs and new lines are considered whitespace so can be used to break long lines, but have no other significance. For example, the snippet above could also be written:
256
256
257
257
[source]
258
258
----
259
259
pipeline.git.branch == "main"
260
+
pipeline.config.ref == "refs/heads/main"
260
261
and not job.ssh.enabled
261
262
and not (pipeline.config_source starts-with "api")
0 commit comments