M api/graph/schema.graphqls => api/graph/schema.graphqls +4 -2
@@ 437,8 437,10 @@ type Mutation {
"""
Submits a new job to the queue.
- 'secrets' may be set to false to disable secrets for this build. Secrets
- are enabled if unspecified.
+ 'secrets' may be set to false to disable secrets for this build. If
+ unspecified, secrets are enabled if at least one is specified in the manifest
+ and the SECRETS:RO grant is available. Enabling secrets requires the
+ SECRETS:RO grant.
'execute' may be set to false to defer queueing this job. Builds are
executed immediately if unspecified.
M api/graph/schema.resolvers.go => api/graph/schema.resolvers.go +13 -4
@@ 285,12 285,21 @@ func (r *mutationResolver) Submit(ctx context.Context, manifest string, tags []s
}
}
+ hasSecretsScope := user.Grants.Has("SECRETS", auth.RO)
+
+ var sec bool
+ if secrets != nil {
+ sec = *secrets
+ } else {
+ sec = len(man.Secrets) > 0 && hasSecretsScope
+ }
+
+ if sec && !hasSecretsScope {
+ return nil, fmt.Errorf("Missing SECRETS:RO grant")
+ }
+
var job model.Job
if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error {
- sec := true
- if secrets != nil {
- sec = *secrets
- }
status := "pending"
if execute == nil || *execute {
status = "pending"