From 3bf3cba806f161ae50fd35b82336b71274fefdf4 Mon Sep 17 00:00:00 2001 From: kdletters Date: Thu, 23 Apr 2026 03:29:45 +0800 Subject: [PATCH] fix(jenkins): avoid rawBuild in deploy gate --- .../JENKINS_RUST_BUILD_DEPLOY_PIPELINES_2026-04-23.md | 1 + jenkins/Jenkinsfile.deploy | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/technical/JENKINS_RUST_BUILD_DEPLOY_PIPELINES_2026-04-23.md b/docs/technical/JENKINS_RUST_BUILD_DEPLOY_PIPELINES_2026-04-23.md index 703f7162..99792d15 100644 --- a/docs/technical/JENKINS_RUST_BUILD_DEPLOY_PIPELINES_2026-04-23.md +++ b/docs/technical/JENKINS_RUST_BUILD_DEPLOY_PIPELINES_2026-04-23.md @@ -20,6 +20,7 @@ 4. `部署` 流水线额外校验上游作业名与传入的 `EXPECTED_UPSTREAM_JOB` 一致;如配置了环境变量 `GENARRATIVE_ALLOWED_UPSTREAM_JOB`,还必须与该值一致。 5. `构建并部署` 在触发 `部署` 前先释放自己的构建节点,避免单执行器节点出现死锁。 6. `部署` 不重新构建,不重新上传,不从 Jenkins 插件仓库复制产物,直接使用上游构建节点的本地 `build/<版本号>/` 目录。 +7. `部署` 流水线读取触发原因时必须使用 `currentBuild.getBuildCauses('hudson.model.Cause$UpstreamCause')` 这类白名单方法,不能直接访问 `currentBuild.rawBuild`,否则会被 Jenkins Script Security 拦截。 ## 3. 节点与工作区要求 diff --git a/jenkins/Jenkinsfile.deploy b/jenkins/Jenkinsfile.deploy index b222ef8a..be94c4f6 100644 --- a/jenkins/Jenkinsfile.deploy +++ b/jenkins/Jenkinsfile.deploy @@ -22,12 +22,14 @@ pipeline { steps { script { - def upstreamCause = currentBuild.rawBuild.getCause(hudson.model.Cause$UpstreamCause) - if (upstreamCause == null) { + // 使用 RunWrapper 白名单方法读取触发原因,避免触发 Jenkins Script Security 审批。 + def upstreamCauses = currentBuild.getBuildCauses('hudson.model.Cause$UpstreamCause') + if (!upstreamCauses || upstreamCauses.isEmpty()) { error('部署流水线禁止人工直接执行,只允许由上游构建并部署流水线触发。') } - def actualUpstreamJob = upstreamCause.upstreamProject ?: '' + def upstreamCause = upstreamCauses[0] + def actualUpstreamJob = upstreamCause?.upstreamProject ?: '' def expectedUpstreamJob = params.EXPECTED_UPSTREAM_JOB?.trim() def allowedUpstreamJob = env.GENARRATIVE_ALLOWED_UPSTREAM_JOB?.trim()