The pipeline behavior is unexpected (OD-1634)
Closed
lordran opened 8 months ago

Hi, I'm facing something unexpected, ask for some help.

1、I'm building on master branch, and setting "Post Build Actions": image.png image_4.png

why dose the Deploy (test) job can be executed? and why dose job secret(KUBECONFIG-test) can be used? image_2.png

2、can we provide a way to hide some jobs in here: image_3.png

OneDev version: 9.2.4

Robin Shen commented 8 months ago

The term on branch is a bit misleading here. It actually means if commit of the job can be reached from specified branch.

For your case, I guess head of master can also be reached from test branch.

I filed an improvement request #1635 to match build ref directly.

As to hide particular jobs from run menu, you may create necessary role without permission to run those jobs, and login as user with that role for your daily work.

lordran commented 8 months ago

@robin Thanks for your reply.

Then, what should I do if I want to only click Build job, and execute a branch-based job? Due to the above question, now we have to click Deploy (prod) on master branch, click Deploy (test) on test branch.Yes, both jobs have a job dependency to Build job. image_5.png

And we maybe also use a Build Promotion, but in Builds section, the deployment process involves too many steps: choose a param named branch > choose a job to click.

Do you have suggestions about my case?

lordran commented 8 months ago

Oh, sorry. If I understand correctly, #1635 will be suitable for my case.

Robin Shen commented 8 months ago

Then, what should I do if I want to only click Build job, and execute a branch-based job?

You may create only one deployment job, and configure it to behave differently based on value of variable @branch@

Robin Shen changed state to 'Closed' 8 months ago
Previous Value Current Value
Open
Closed
lordran commented 8 months ago

Then, what should I do if I want to only click Build job, and execute a branch-based job?

You may create only one deployment job, and configure it to behave differently based on value of variable @branch@

If so, I have to delete job secret Authorization, this is unacceptable for security.If I don't delete job secret Authorization and write a shell as follows:

if [ "@branch@" = "test" ] || [ "@branch@" = "dev" ];then
echo "deploy to test\n"
s="@secret:KUBECONFIG-test@"
elif [ "@branch@" = "master" ];then
echo "deploy to prod\n"
s="@secret:KUBECONFIG-prod@"
fi

this will lead to an error when running on test branch:

Job secret not authorized (project: xxxx, job secret: KUBECONFIG-prod)

Robin Shen commented 8 months ago

this will lead to an error when running on test branch:

You may refer to #682 for a workaround.

To make such task easier, future version will improve job secrets so that multiple secrets with same name can be defined, and secret access will be tried one by one until an authorized secret can be found.

Robin Shen commented 7 months ago

@lordran check this tutorial on how to use different job secret for different branchs in same job without resorting to groovy script:

https://docs.onedev.io/tutorials/cicd/branch-job-secret

Robin Shen commented 7 months ago

@lordran check this tutorial on how to use different job secret for different branchs in same job without resorting to groovy script:

https://docs.onedev.io/tutorials/cicd/branch-job-secret

build #4343 is required to use this feature

issue 1 of 1
Type
Question
Priority
Critical
Assignee
Labels
No labels
Issue Votes (0)
Watchers (4)
Reference
OD-1634
Please wait...
Page is in error, reload to recover