Hi all,As you may have noticed, yesterday we had a situation on Jenkins where around 500 jobs where queuing up. Many of them of them where building Dependabot branches from our Github mirrors.
The way Dependabot works is they do *not* create a fork of our repo's. Instead they create a branch in our repo's and push one commit that updates a particular dependency. Because of sync between Github and the ASF Gitbox, that branch also exists in the ASF Gitbox. And because of that, Jenkins may decide to start building it (as happened yesterday). This means we pull in changes from others that get executed on ASF infrastructure without any Maven committer reviewing or approving those changes.
In the Jenkins user interface, I see there's an option to build only specific branches. I'm thinking of excluding everything that starts with dependabot/ there, just to be sure. Before I continue, does anyone know if it's possible to configure this with a Jenkinsfile?
Thanks, Maarten
OpenPGP_0x13D979595E6D01E1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
