I am using the Jenkins Pipeline plugin to build commits on my GitHub repository. However, while I do trust the people on GitHub enough to make commits on the repository, the server is shared infrastructure across multiple projects, and I don't want to give them effectively root access to the slaves.
I see that the plugin will block Jenkinsfile changes from Pull Requests. Is it possible to configure similar functionality for all Jenkinsfile changes?
Note that some of these people are owners on the GitHub organization, so the fix must be on Jenkins and not on GitHub.
If you do not trust these people, is dissallowing them to change the Jenkinsfile enought?
To have proper testing the jenkins server will at some point have to run your code, so if they can push a change to a certain file that they know will be executed on your Jenkins machine, they could alter it at will and make it run whatever you are trying to block them from in running in the Jenkinsfile.
Taking away their github owner status doesn't even solve this problem, they can make a pull request with bad code in it, which your jenkins machine will merge and run.
Also, your Jenkins shouldn't run as root, have a jenkinsuser without sudo rights to run the tests.