@@ -117,13 +117,21 @@ jenkins:
117117 logoutUrl: "${SAML_LOGOUT_URL}"
118118 maximumAuthenticationLifetime: 86400
119119
120- # Authorization strategy - allow anonymous read access
120+ # Authorization Strategy: Global Matrix Authorization
121+ # Admin access: lf-releng, lf-sysops groups from LF LDAP
122+ # Anonymous access: read-only for public CI transparency
121123 authorizationStrategy:
122124 globalMatrix:
123125 permissions:
124- - "Overall/Read:anonymous"
125- - "Job/Read:anonymous"
126- - "View/Read:anonymous"
126+ # Anonymous read-only access
127+ - "USER:Overall/Read:anonymous"
128+ - "USER:Job/Discover:anonymous"
129+ - "USER:Job/Read:anonymous"
130+ - "USER:View/Read:anonymous"
131+
132+ # Admin groups (LF teams)
133+ - "GROUP:Overall/Administer:lf-releng"
134+ - "GROUP:Overall/Administer:lf-sysops"
127135
128136 # Kubernetes cloud configuration for dynamic build agents
129137 clouds:
@@ -182,7 +190,11 @@ jenkins:
182190 ebsOptimized: false
183191 hostKeyVerificationStrategy: OFF
184192 idleTerminationMinutes: "60"
185- initScript: "sudo dnf clean all && sudo rm -rf /var/cache/dnf && sudo dnf repolist && sudo dnf update --releasever=latest --skip-broken --exclude=openssh* --exclude=docker* --exclude=gh* --exclude=openssl* -y && docker ps"
193+ initScript: >-
194+ sudo dnf clean all && sudo rm -rf /var/cache/dnf &&
195+ sudo dnf repolist && sudo dnf update --releasever=latest
196+ --skip-broken --exclude=openssh* --exclude=docker*
197+ --exclude=gh* --exclude=openssl* -y && docker ps
186198 labelString: "Jenkins-Agent-AL2023-X64-c5.4xlarge-Single-Host"
187199 launchTimeoutStr: "300"
188200 maxTotalUses: 10
0 commit comments