Preventing unsanctioned deploys in Jenkinsfile (Multibranch Pipeline)

Question

We're running Jenkins with multibranch pipeline plugin attached to GitHub organization's repository with Jenkinsfile in some of its branches. Jenkins has access to multiple other agents & nodes where it deploys code after it's successfully built.

The problem: I want to prevent other devs from running builds with modified Jenkinsfile in their branches and pull requests.

• Solution 1: when statement in Jenkinsfile: poor security. Anyone can modify it, remove the when clause and break production.
• Solution 2: locked files on repo: not available on GitHub. I'm seriously considering moving to GitLab because they have this function.
• Solution 3: seperate job in Jenkins for deployment: overkill. I think there should be a Pipeline-ish solution for this.

How can I make sure that the used Jenkinsfile is authentic and not modified? Is there any solution to this that I'm missing? I want this to be secure enough to prevent anyone with push access from intentionally breaking things, e. g. git pre-push hooks are not a solution.

Answer 1

You can use Custom Script mode under Build Configuration section in the configuration of the multibranch project, this way the jenkinsfile in the different branches will not be used but what you either define in the job configuration by selecting pipeline script in Definition section and preventing the developers to modify the jenkins job configuration, or you can specify any file to be the jenkins file in basically any repository by selecting Pipeline script from SCM.

For example non of our repositories have a jenkinsfile, there is only one jenkinsfile for all of our projects that only I update and lives in a separate repository.