Running arbitrary commands directly on the node is already possible in several places in the Jenkinsfile:
- https://github.com/apache/tvm/blob/main/Jenkinsfile#L97
- https://github.com/apache/tvm/blob/main/Jenkinsfile#L127
- https://github.com/apache/tvm/blob/main/Jenkinsfile#L167
So our security is relatively poor even today. We can mitigate risks by:
- ensuring every step is wrapped in a reasonable timeout
- getting rid of persistent nodes (workers) and using autoscaled nodes only
- require approval to run for first time contributors (GitHub Actions update: Helping maintainers combat bad actors | The GitHub Blog), though Jenkins may not easily support this
- make sure scripts run outside of docker are checked out from the target branch and not the PR branch for forked PRs (similar to how we manage the
Jenkinsfilenow). This would be troublesome for CI development for non-committers (i.e. me) but should lock down most of the vulnerability surface. We could take this further and only rebuild docker images on branches, which would still make testing / updating easier without the risks.