I’d like students to work in teams on private repos and turn the assignments in using some mechanism that involves running automated tests with Jenkins (without making a Jenkins job per repo).
I had hoped to have a master repo that students could make private PRs against, but (a) GitHub apparently doesn’t support private PRs (which seems like a huge problem for security-focused PRs for normal projects, so I really don’t understand how that functionality could possibly be missing); and (b) students’ repos are not forks of the starter code repo so GitHub’s PR mechanism doesn’t appear to work.
The crux of the issue here is that when you fork a repository on GitHub, the newly created repository becomes part of the repository network. Since many teachers don’t want the students to see the work of others we don’t use forks in GitHub Classroom.
If you’re happy to have students see the work of others, you can use forks of a private repository to accomplish what you’re trying to do. If you need to keep all student work separate, there’s no automated way to set up the Jenkins integration right now.
You can manually add the Jenkins integration to each repository created by GitHub Classroom for the time being. We are planning to automate this in GitHub Classroom in the future, for details see the relevant GitHub issue:
The only approach I’ve found to work so far is with using Jenkins pipeline as code system, where I can have a Jenkins file in the base repos that gets picked up by Jenkins (as it scans the entire organisation) and generates a job for the repos.
Is there any particular reason you don’t want a job per repos?
I’d be happy with a job per repo as long as I get to define the job. Once students can write or modify a Jenkinsfile, they have shell access on the Jenkins machine. Worse than that, they can use the Jenkinsfile to learn the GitHub Personal Access Token which gives them access to the whole GitHub organization (with whatever privileges I’ve assigned to the PAC).
Pipeline as code is clearly not designed for adversarial input.
I’m beginning to think I should write a simple web app that listens for the GitHub webhooks’ POST, parses the JSON, and runs a specified script per push matching some criteria. But I’d prefer not to have to resort to that.
That seems like the correct approach. It’s on our list to add something like this to Classroom directly so that we can kick off the build process automatically for you, but it’s not likely to be built in the immediate future.
I believe this is what freecodecamp does, the webhook triggered validation. That’s the system I’m looking to add as well. Although I plan on adding a check command to every assignment to help students validate their work as they do it from the command line as well.
I realise that you specifically say Jenkins, but hopefully the following, which I’ve used with my students, which uses an alternative CI will be useful for some people, or possible this may be a better solution for you.
Travis CI integrates very nicely with github and with the free private repos that github provides for education you get free use of travis CI on these repositories.
Because all of my students’ repositories are part of my department’s github organisation (either created by Classroom or by me) I can automatically make the repository build in on Travis’ own servers using the command line tool.
I asked around Microsoft and completely failed to get somebody who could do academic discounts on Azure Pipeline DevOps. There’s a comparable service called Google Cloud Build, where you can pretty easily request that Google give you credits for free Google Cloud cycles, and the same is probably true for Amazon.
Of course, there’s a world of difference between “here are some free credits, but if you go over we charge your credit card” and “it’s free, we love academics!”. So far as I can tell, Travis-CI is offering a free license to Travis-CI Enterprise, which you run on your own computers, but I haven’t seen any announcement from them about offering more than 1x concurrency on their servers.
Meanwhile, GitHub is working on their own product in this space, GitHub Actions, which is currently in an invitation-only beta phase. Maybe they’ll have something for us when the product hits final release?
“Privacy” means very different things to different people. If you’re primarily concerned that one student doesn’t see another student’s work, then GitHub private repositories, which you can set as a default with GitHub Classroom, are all you need. If you want to ensure that GitHub learns nothing whatsoever about your students, then you should be running your own Git server (perhaps with GitHub Enterprise, or perhaps with something else like GitLab) on your own hardware.