Skip to content

[JENKINS-76310] Make secret token work with CSP enforced#149

Merged
Puffy1215 merged 3 commits intojenkinsci:masterfrom
daniel-beck:JENKINS-76310
Dec 4, 2025
Merged

[JENKINS-76310] Make secret token work with CSP enforced#149
Puffy1215 merged 3 commits intojenkinsci:masterfrom
daniel-beck:JENKINS-76310

Conversation

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented Nov 25, 2025
edited
Loading

https://issues.jenkins.io/browse/JENKINS-76310

Second iteration: No longer uses weird f:validateButton feature. I recommend squash-merging due to unclean history.

Testing done

Manually navigated to the buttons and clicked them, checked CSP findings -- none. Work when CSP is enforced.

Screenshots

I used this opportunity to make the buttons look nicer, now that we're not using f:validateButton anymore.

Before

Screenshot 2025-12-02 at 18 08 56

After

Screenshot 2025-12-02 at 18 07 51

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@Puffy1215 Puffy1215 added the bug Incorrect or flawed behavior label Nov 25, 2025
@daniel-beck daniel-beck marked this pull request as ready for review December 2, 2025 12:55
@daniel-beck daniel-beck requested a review from a team as a code owner December 2, 2025 12:55
Puffy1215
Puffy1215 reviewed Dec 2, 2025
View reviewed changes
pom.xml Outdated
<!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
<jenkins.baseline>2.504</jenkins.baseline>
<jenkins.version>${jenkins.baseline}.3</jenkins.version>
<jenkins.version>2.540</jenkins.version>
Copy link
Contributor

@Puffy1215 Puffy1215 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have in the past use LTS versions. I am not sure we want to change that at the moment.

If i am reading this right, the next LTS version to be chose is on 2025/12/10. i would like to know what version is next after 2.528.3. we may end up in situation where we are on a weekly release for multiple months if new LTS version number is lower than 2.540, which in my mind means more maintenance required.

I am not opposed to useing weekly release, but I would like to know when next compatible LTS version would be.

Copy link
Contributor

@MarkEWaite MarkEWaite Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Next LTS baseline will most likely be 2.541 and will release Jan 21, 2026. Baseline selection happens Dec 10, 2025.

Copy link
Contributor

@Puffy1215 Puffy1215 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then i think we have no issue. I think this is important to merge as it is related to security configuration. I will merge when I have a chance to run it.

Copy link
Member Author

@daniel-beck daniel-beck Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Obsoleted by 5c0ae56 which solves this entirely client-side. WDYT?

@Puffy1215
Copy link
Contributor

Puffy1215 commented Dec 2, 2025

Thank you for your pull request. I left a comment about baseline version. I am curious about your thoughts.

@daniel-beck
Copy link
Member Author

daniel-beck commented Dec 2, 2025

I'll look into making this work without a new baseline at all. There's no real reason for this to not be pure client-side JS, I just kept to the current approach as that's a more straightforward migration.

This will also remove consumers of this feature in plugins, thereby making it easier to just retire it.

@Puffy1215
Copy link
Contributor

Puffy1215 commented Dec 4, 2025

I'll look into making this work without a new baseline at all. There's no real reason for this to not be pure client-side JS, I just kept to the current approach as that's a more straightforward migration.

This will also remove consumers of this feature in plugins, thereby making it easier to just retire it.

Thank you. The change looks good. I will merge.

@Puffy1215 Puffy1215 merged commit 1b42e96 into jenkinsci:master Dec 4, 2025
17 checks passed
@daniel-beck daniel-beck deleted the JENKINS-76310 branch December 10, 2025 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MarkEWaite MarkEWaite MarkEWaite left review comments

@Puffy1215 Puffy1215 Puffy1215 left review comments

Assignees

No one assigned

Labels

bug Incorrect or flawed behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daniel-beck @Puffy1215 @MarkEWaite