Rename allow-secrets to post-review
Since jobs which use secrets in the trusted execution context are
always allowed, the name of this attribute was confusing. By renaming
it to 'post-review' (and the corresponding job attribute to
'post-review') we indicate what the actual concern is.
Change-Id: I59607621d5b99508b94074133bfc67e64e708a7d
diff --git a/tests/fixtures/config/ansible/git/common-config/zuul.yaml b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
index ba6227b..d90f5e2 100644
--- a/tests/fixtures/config/ansible/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/data-return/git/common-config/zuul.yaml b/tests/fixtures/config/data-return/git/common-config/zuul.yaml
index 4db7eb6..906dc5b 100644
--- a/tests/fixtures/config/data-return/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/data-return/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml b/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
index 4a13e73..893ea05 100644
--- a/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/inventory/git/common-config/zuul.yaml b/tests/fixtures/config/inventory/git/common-config/zuul.yaml
index d2179b7..7809c5d 100644
--- a/tests/fixtures/config/inventory/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/inventory/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml b/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
index 0a6c557..16d1966 100644
--- a/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/layouts/untrusted-secrets.yaml b/tests/fixtures/layouts/untrusted-secrets.yaml
index cfa03e0..b90d3d7 100644
--- a/tests/fixtures/layouts/untrusted-secrets.yaml
+++ b/tests/fixtures/layouts/untrusted-secrets.yaml
@@ -17,7 +17,7 @@
- job:
name: project1-test
- untrusted-secrets: true
+ post-review: true
- project:
name: org/project1
diff --git a/tests/unit/test_model.py b/tests/unit/test_model.py
index 9cc7195..ce30e7c 100644
--- a/tests/unit/test_model.py
+++ b/tests/unit/test_model.py
@@ -461,16 +461,16 @@
})
layout.addJob(untrusted_secrets_untrusted_child_job)
- self.assertIsNone(trusted_secrets_job.untrusted_secrets)
- self.assertTrue(untrusted_secrets_job.untrusted_secrets)
+ self.assertIsNone(trusted_secrets_job.post_review)
+ self.assertTrue(untrusted_secrets_job.post_review)
self.assertIsNone(
- trusted_secrets_trusted_child_job.untrusted_secrets)
+ trusted_secrets_trusted_child_job.post_review)
self.assertIsNone(
- trusted_secrets_untrusted_child_job.untrusted_secrets)
+ trusted_secrets_untrusted_child_job.post_review)
self.assertTrue(
- untrusted_secrets_trusted_child_job.untrusted_secrets)
+ untrusted_secrets_trusted_child_job.post_review)
self.assertTrue(
- untrusted_secrets_untrusted_child_job.untrusted_secrets)
+ untrusted_secrets_untrusted_child_job.post_review)
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
'trusted-secret')
@@ -697,15 +697,15 @@
"Project project2 is not allowed to run job job"):
item.freezeJobGraph()
- def test_job_pipeline_allow_secrets(self):
- self.pipeline.allow_secrets = False
+ def test_job_pipeline_allow_untrusted_secrets(self):
+ self.pipeline.post_review = False
job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
'_source_context': self.context,
'_start_mark': self.start_mark,
'name': 'job',
'parent': None,
})
- job.untrusted_secrets = True
+ job.post_review = True
self.layout.addJob(job)
@@ -730,7 +730,7 @@
item.current_build_set.layout = self.layout
with testtools.ExpectedException(
Exception,
- "Pipeline gate does not allow jobs with secrets"):
+ "Pre-review pipeline gate does not allow post-review job"):
item.freezeJobGraph()
diff --git a/tests/unit/test_scheduler.py b/tests/unit/test_scheduler.py
index 960a922..97d53e0 100755
--- a/tests/unit/test_scheduler.py
+++ b/tests/unit/test_scheduler.py
@@ -2827,7 +2827,7 @@
self.assertHistory([])
self.assertEqual(A.patchsets[0]['approvals'][0]['value'], "-1")
- self.assertIn('does not allow jobs with secrets',
+ self.assertIn('does not allow post-review job',
A.messages[0])
@simple_layout('layouts/tags.yaml')