Restrict access to JDT JIPP to reduce attack surface for bot crawlers

Summary

In the past months, there have been several events where bot crawlers severely impacted the stability of the JDT JIPP and, along with it, some other services.

• October 29, 2025 - October 30, 2025
• January 02, 2026 - January 20, 2026
• April 19, 2026 - April 21, 2026

During these times, the JDT JIPP experienced a high CPU load and the average uptime dropped from days and weeks to only a few hours.

We've blocked at least one bot agent; see https://gitlab.eclipse.org/eclipsefdn/it/internal/infra/configuration-management/puppet-modules/-/merge_requests/359.

To avoid further cat-and-mouse games, we have restricted access to the JDT JIPP. For now, anonymous users won't be able to browse the JDT JIPP anymore. In order to browse it, users will need at least an Eclipse account.

While we would like to keep our CI instance public as much as we can, malicious actors force our hand to restrict access.

The JDT JIPP is the guinea pig for this. We will monitor access patterns for all Jenkins instances and consider rolling this out to all JIPPs.

We will also investigate other options to reduce the attack surface.

FYI: @jjohnston @aloskutov @jarthanaree @ngupta @mpalat @sasinha

Please let us know if you have any questions or concerns.