Locked runner now running unauthorized shared jobs (10.7)
Since 10.7 Update, a locked runner can run unauthorized jobs
Steps to reproduce
(Some steps may not be required, but this is how we reproduced in our environment)
- Register a runner, lock it, but do not enable any projects.
- Set a tag on the locked runner that is also shared with public runners. (We use datacenter name for example)
- Run a job on a project that expects shared runners but also specifies the tag on the locked runner.
- There is a chance the locked runner will pick up and run the job, even if the project is not authorized to
What is the current bug behavior?
Unauthorized project job runs on a locked runner
What is the expected correct behavior?
Job never runs on a locked runner unless the project is enabled for it
Shows the runner is locked, but will process all unassigned projects if it has not been assigned any projects. This deviates from pre-10.7 where it would never run a job in this scenario.