From a81503921d81e1e8d8667d804b80c6904c0e1d70 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 16 Jan 2019 16:26:16 -0800
Subject: [PATCH] Set allowed-projects on system-config image jobs

Without this, other projects could run this job (or its descendents)
and pass in an images dictionary instructing it to upload something
to one of our repositories.

Change-Id: I2c68d6673217bbc274c1134ee221cd6484abcf16
---
 .zuul.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.zuul.yaml b/.zuul.yaml
index 559b845106..804194677a 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -48,6 +48,7 @@
       <https://zuul-ci.org/docs/zuul-jobs/roles.html#role-build-docker-image>`_
       for details.
     abstract: true
+    allowed-projects: openstack-infra/system-config
     pre-run: playbooks/zuul/build-image/pre.yaml
     run: playbooks/zuul/build-image/run.yaml
 
@@ -61,6 +62,7 @@
       <https://zuul-ci.org/docs/zuul-jobs/roles.html#role-upload-docker-image>`_
       for details.
     abstract: true
+    allowed-projects: openstack-infra/system-config
     post-run: playbooks/zuul/build-image/upload.yaml
     secrets:
       name: credentials
@@ -75,6 +77,7 @@
       <https://zuul-ci.org/docs/zuul-jobs/roles.html#role-promote-docker-image>`_
       for details.
     abstract: true
+    allowed-projects: openstack-infra/system-config
     run: playbooks/zuul/build-image/promote.yaml
     secrets:
       name: credentials