If you administer a Jenkins instance, you may be used to approving script usage. In theory, it is possible to turn the check off, but even behind an auth gateway, that may not be a good idea.
In the before time, best practice was to click the button under “manage jenkins”:
But in a brave new CasC world, it is possible to instead provide a list of pre-approved scripts:
security:
scriptApproval:
approvedScriptHashes:
- 046256fc8829d7af680424b819da55bdb7c660f4 # jobs-dsl/foo.groovy
...
However maintaining this list is obviously a nightmare. First of all, you’d think it would be as simple as running:
shasum foo.groovy
But that doesn’t give the “right” answer. Eventually a colleague of mine worked out that you need to prepend a magic string:
(printf "groovy:" && cat foo.groovy) | shasum
With that in hand, you still need to run that over e.g. every Job DSL script you have. And ideally remove old hashes, when the file changes. Behold my glory!
$ find -maxdepth 1 -name "*.groovy" | sort | xargs -I {} sh -c 'HASH=`(printf "groovy:" && cat {}) | shasum | awk '"'"'{print $1}'"'"'`; echo - $HASH \# jobs-dsl/{}'
- 98a015976c7392bde86f3e35d526054b684f605f # jobs-dsl/./foo.groovy
...
I didn’t think I could hate the shell more than I already did.
You should then be able to paste the output of this script into the CasC yaml, and get a reasonable diff (although it turns out that the osx & linux sort commands disagree on which special chars should go first).
Look on my works, ye Mighty, and despair! 