Test-infra: Prow runs postsubmit jobs on branch that contain name of the target branch

Created on 14 Mar 2019  路  1Comment  路  Source: kubernetes/test-infra

What happened:
we have a postsubmit job defined to release branch. To create new release, I created a branch called release-0.1, made a commit and created a PR to release branch. Prow took my commit to release-0.1 branch as post submit and ran the job defined for the release branch.

What you expected to happen: I expected prow to run post-submit job only with exactly matching branches.

How to reproduce it (as minimally and precisely as possible): Have a post-submit job defined for master. Create a branch called master-test and push it. Prow will run the post submit job defined for master for master-test branch.

Anything else we need to know?:
We believe it's because this line does checks for contains instead of exact matching.

I believe this is a security issue as our release branch is protected by Github but now this protection is bypassed.

kinbug
Source
picture atakanyenel

Most helpful comment

^release$ will only match the release branch. release is equivalent to ^.*release.*$

picture fejta on 14 Mar 2019
👍2

>All comments

^release$ will only match the release branch. release is equivalent to ^.*release.*$

fejta picture fejta on 14 Mar 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benmoss picture benmoss  路  3Comments
BenTheElder picture BenTheElder  路  3Comments
Aisuko picture Aisuko  路  3Comments
BenTheElder picture BenTheElder  路  4Comments
spzala picture spzala  路  4Comments