Bind secrets to their playbooks Secrets are proving less useful than originally hoped because they can not be effectively used in any jobs with untrusted children. This change binds the secrets to the playbooks which use them, so that child jobs are unable to access the secrets. This allows us to create jobs with pre/post playbooks which use secrets which are suitable for other jobs to inherit from. Change-Id: I67dd12563f3abd242d6356675afed1de0cb144cf

commit: 892cca6afa7c29757922b6ad584fcfe984cad3e3 [log] [tgz]
author: James E. Blair <jeblair@redhat.com> Wed Aug 09 11:36:58 2017 -0700
committer: James E. Blair <jeblair@redhat.com> Thu Aug 10 09:13:46 2017 -0700
tree: c9f18ca8620b5635c835012616e89cf48d25af3e
parent: ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff]
diff --git a/tests/fixtures/layouts/untrusted-secrets.yaml b/tests/fixtures/layouts/untrusted-secrets.yaml
new file mode 100644
index 0000000..cfa03e0
--- /dev/null
+++ b/tests/fixtures/layouts/untrusted-secrets.yaml

@@ -0,0 +1,26 @@
+- pipeline:
+    name: check
+    manager: independent
+    trigger:
+      gerrit:
+        - event: patchset-created
+    success:
+      gerrit:
+        Verified: 1
+    failure:
+      gerrit:
+        Verified: -1
+
+- job:
+    name: base
+    parent: null
+
+- job:
+    name: project1-test
+    untrusted-secrets: true
+
+- project:
+    name: org/project1
+    check:
+      jobs:
+        - project1-test
commit	892cca6afa7c29757922b6ad584fcfe984cad3e3	[log] [tgz]
author	James E. Blair <jeblair@redhat.com>	Wed Aug 09 11:36:58 2017 -0700
committer	James E. Blair <jeblair@redhat.com>	Thu Aug 10 09:13:46 2017 -0700
tree	c9f18ca8620b5635c835012616e89cf48d25af3e
parent	ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff]