That is possible. I restricted access to the github token to the log4net
build job only. Stefan, would you like to try whether you can gain access
to that token? I can guide you to where you can find it off-list.

On Wed, 13 Jun 2018, 17:40 Ralph Goers, <ralph.go...@dslextreme.com> wrote:

> Jenkins does have a way of storing credentials. However, I don’t know if
> there is a way to limit which jobs can use the credentials.
>
> Ralph
>
> > On Jun 13, 2018, at 6:48 AM, Stefan Bodewig <bode...@apache.org> wrote:
> >
> > On 2018-06-13, Dominik Psenner wrote:
> >
> >> As far as I can tell, the secrets stored in jenkins.a.o are
> >> trustworthy. For instance I used a github access token generated from
> >> my github account that grants jenkins access to the log4net-logging
> >> repository on github. I am convinced that nobody else can steal that
> >> token without logging in to jenkins using my credentials. Stefan,
> >> would you please elaborate the reasonings of why you do not trust pgp
> >> signatures issued by builds.a.o?
> >
> > Maybe just because I'm paranoid. How would you store the private part of
> > a PGP key in Jenkins in a way that cannot be compromised by people who
> > log in to Jenkins or a malicious Jenkins addon that gets installed?
> >
> > Stefan
> >
>
>
>

Reply via email to