After build finishes, Jenkins processes artifacts using "publishers". Each publisher gets access to artifacts in turn (order is not user-selectable) and can do something about them, but apparently not side-effects (like (re)moving artifacts). So, there're publishers:

  • Archive artifacts publisher (Jenkins builtin) which takes some subset of files from workspace (using a pattern), stores them on the master, and updates build's config with information about them, so they will be shown in Jenkins UI.
  • Various "publish to" publishers, mostly plugins, which copy some subset of files from workspace (using another pattern) somewhere.

Publishers appear to be context-free (they have no knowledge about other publishers, the order in which they run is not defined).

Doing SCPing on level of Jenkins (using plugins)

Pros:

  • All processing happens on master (no need to put keys on slaves, more secure)

Cons:

  • We send testing requests to LAVA at the end of build, so when the request is made, artifacts are not yet available for download (actually, we have the same race even now, but SCPing will increase delays).
  • Jenkins internal artifact links are still not updated with new URLs (this handed by different publisher)

Doing SCPing on level of build scripts

Pros:

  • Generally easier and more visible (in the same codebase, changes are tracked and can be reviewed)

Cons:

  • Requires presence of SSH key on slave

Both methods don't update artifact URLs as appear in Jenkins. It can be investigated if it's possible to develop custom publisher for that as a future solution, but before that, one can either:

  1. Disable "archive artifacts" publisher for jobs which need to be protected
  2. Add adhoc Apache rules to 403 download URLs for those jobs.

With first solution, we need to check that disabling showing of URLs actually make artifacts not accessible (by direct links for example; also, check there's no security races, like Jenkins put it for some time into accessible place, runs thru publishers, and then removes - so there's a window when they can be downloaded).

PaulSokolovsky/JenkinSCPNotes (last modified 2011-12-12 11:28:57)