We need to only allow tags to be created from Jenkins pipelines, which means we need to disallow specific commands such as "git commit".

Jenkins agents' OS is Windows Server 2016. It could also be something done at Jenkins master level.

Any recommendations?

Thank you

CodePudding user response：

The lowest level of authorization in Jenkins is project-based security via the Matrix Authorization Strategy plugin.

The only idea that comes into my mind atm:

1. Remove Git's binary folder from PATH.

2. Create a wrapper git.cmd or git.ps1 that only accepts arguments from a whitelist of Git commands.

3. a) Add the wrapper's folder to your PATH.
   b) Refer to the wrapper in Jenkins' Global Tool Configuration → Git.