Merge "Use app integration to get PR reviews" into feature/zuulv3
diff --git a/zuul/configloader.py b/zuul/configloader.py
index ea1293f..57fb7e2 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -460,6 +460,8 @@
else:
secret_name = secret_config['name']
secret = layout.secrets[secret_config['secret']]
+ if secret_name == 'zuul':
+ raise Exception("Secrets named 'zuul' are not allowed.")
if secret.source_context != job.source_context:
raise Exception(
"Unable to use secret %s. Secrets must be "
@@ -574,6 +576,8 @@
variables = conf.get('vars', None)
if variables:
+ if 'zuul' in variables:
+ raise Exception("Variables named 'zuul' are not allowed.")
job.updateVariables(variables)
allowed_projects = conf.get('allowed-projects', None)
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 96c809c..3daafc7 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -1281,6 +1281,8 @@
secrets = playbook['secrets']
if secrets:
if 'zuul' in secrets:
+ # We block this in configloader, but block it here too to make
+ # sure that a job doesn't pass secrets named zuul.
raise Exception("Defining secrets named 'zuul' is not allowed")
jobdir_playbook.secrets_content = yaml.safe_dump(
secrets, default_flow_style=False)
@@ -1385,6 +1387,8 @@
# TODO(mordred) Hack to work around running things with python3
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
if 'zuul' in all_vars:
+ # We block this in configloader, but block it here too to make
+ # sure that a job doesn't pass variables named zuul.
raise Exception("Defining vars named 'zuul' is not allowed")
all_vars['zuul'] = args['zuul'].copy()
all_vars['zuul']['executor'] = dict(