Configure Script Approvals

Your checklist for this issue

🚨 Please review the guidelines for contributing to this repository.

• Link to any upstream changes that might be required (for example Jenkins Core pull request)

I don’t think there are any dependencies to implement this, but I don’t know enough about the internals to know for sure.

Feature Request

It is already possible to configure approvedSignatures:

security:
  scriptApproval:
    approvedSignatures:
      - "some signature"

But it isn’t possible to configure approved scripts or hashes of approved scripts, which is what’s technically being approved.

I’m working on migrating from jenkins-startup-scripts, where this is a built in feature. The implementation is quite simple, so I don’t see why this couldn’t be included in JCasC.

Obtaining the hashes is a bit of a pain, as it requires you to run the job that needs the script approvals, then approve them in the UI and finally grab the hashes from scriptApproval.xml in JENKINS_HOME. So we might want to simplify that by letting the user provide the whole script, but getting feature parity with the jenkins-startup-scripts is a good start.

So here is my suggestion:

security:
  scriptApproval:
    approvedScriptHashes:
      - "some hash"

To make life easier, we could also have:

security:
  scriptApproval:
    approvedScripts:
      - "some script"

However that is a bit more effort and mostly a nice to have. The first one is essential, though.

I’m happy to create a PR, but I don’t have any experience with this code base, so I would be happy if someone wants to help out. Also, if there are any workarounds available right now, please let me know.