Add Jenkins testing and Gemnasium monitoring

[jamiemccarthy]

What does this do?

Previously autotune had been tested by Jenkins. But with the move to Jenkins 2.0 it got left behind. This PR:

• adds it back into Jenkins' list of tested projects
• adds automated Gemnasium vulnerability analysis

In addition to this PR, I've verified the Gemnasium project slug is correct, and added autotune into the Jenkins project-name regex.

More eyes wanted, please

Can someone who knows more about node than I do please see if these lines would make sense? And if so, uncomment them.

The Jenkinsfile here was basically copied from anthem, and I checked bin/test_docker_build.sh by eye, so I don't have any reason to think they won't work. But I'm not a Jenkins expert.

Deploy

Merging will suffice, no deploy is actually necessary (though shouldn't hurt of course).

Jenkins scans all voxmedia repositories periodically to determine which should appear in the Vox Media list. Until this merges, autotune won't appear, because it's missing a Jenkinsfile. After this merges, I think you can wait a few hours and then check the console to see if an automatic scan picked it up -- or I think you can open the configure page and probably just click Save to trigger an immediate scan.

[clifff]

It was a purposeful decision to not move autotune to Jenkins 2.0. This is a public repo and anybody could open up a PR with arbitrary code in a Jenkinsfile, which would automatically run on our Jenkins instance.

[jamiemccarthy]

Ouch, good point. Thanks for clarifying Clif! I've taken it back out of the Jenkins repository name pattern.

[ryanmark]

Reopening

[ryanmark]

So this is 👍 to merge, however we need to find an alternate way to run these tests.

[clifff]

@ryanmark Just an idea - we could set up a specific Jenkins job that only runs on master, but not automatically against pull requests

[ryanmark]

@clifff thats doable, altho the PR tests are nice - could we put the jenkins file elsewhere so it can't be changed via a public PR? would that address the security issue?

[clifff]

These are the configuration options on the Github Branch Source plugin we use to automatically build PRs. Given the wording here, I actually think that a PR opened by a non-Vox Media org user would be on a fork, and not automatically run. I'm all for merging this into master and doing some experiments to verify weather or not our concern applies.