contrib/intel/jenkins: Do not run pipeline for unauthorized users

Lookup a all teams and users in the ofiwg github team. If the submitter is not in the list of users then deny them If they are, lookup their email address (required to be publicly available) and if their email address matches the PR submitter's address then allow them. All other cases are denied. Signed-off-by: Zach Dworkin <zachary.dworkin@intel.com>
ofiwg · Dec 18, 2024 · d77f8d5 · d77f8d5
1 parent 9b7f27c
commit d77f8d5
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/contrib/intel/jenkins/Jenkinsfile b/contrib/intel/jenkins/Jenkinsfile
@@ -397,6 +397,27 @@ pipeline {
         }
       }
     }
+    stage ('bootstrap-ci') {
+      steps {
+        script {
+          bootstrap_ci()
+        }
+      }
+    }
+    stage('check-authorization') {
+      steps {
+        script {
+          sh """source ${CI_LOCATION}/${env.CI_MODULE}/venv/bin/activate;\
+                python ${CI_LOCATION}/authorize.py \
+                --author=${env.CHANGE_AUTHOR} \
+                --email=${env.CHANGE_AUTHOR_EMAIL} \
+                --root_ca_path=${env.ROOT_CA_PATH} \
+                --priv_key_path=${env.PRIV_KEY_PATH} \
+                --pub_key_path=${env.PUB_KEY_PATH} \
+          """
+        }
+      }
+    }
     stage ('opt-out') {
       steps {
         script {
@@ -433,13 +454,6 @@ pipeline {
         }
       }
     }
-    stage ('bootstrap-ci') {
-      steps {
-        script {
-          bootstrap_ci()
-        }
-      }
-    }
     stage ('build-libfabric') {
       when { equals expected: true, actual: DO_RUN }
       parallel {