I think it does indeed follow the logic of loading all job configurations from projects in https://pagure.io/fedora-project-config/blob/master/f/resources/fedora-sources.yaml into the shared space, so the latest loaded job got applied

https://fedora.softwarefactory-project.io/zuul/job/validate

Some explanation is available in
https://zuul-ci.org/docs/zuul/latest/tenants.html#attr-tenant.untrusted-projects.%3Cproject%3E.shadow

But this logic does not fit the setup when projects are managed completely independently and may define overlapping jobs.

@fabien2 this seems to be a security risk, as someone may override someone else's job from their repository.

Is there a parameter we are missing?

My expectation would be that local .zuul.yaml configuration should be applied only from the repository which code is being tested.

Yes, Zuul jobs definitions discovered during the crawling of repos/branches from a given Zuul tenant are part of the tenant's jobs (https://softwarefactory-project.io/zuul/t/fedora/jobs). A job defined in the repo A can be used by the repo B. In a shared space like the Fedora Zuul tenant this needs to be advertised. Either consumers of the CI needs to ensure uniqueness for job (and others Zuul config items) names, or we decide that all or some configuration items are only allowed to be defined in specific repositories (see include/exclude https://zuul-ci.org/docs/zuul/latest/tenants.html#attr-tenant.untrusted-projects.%3Cproject%3E.include).

So I tried to fix this by renaming all the CI files, and now, uh, this happened:

See https://pagure.io/fedora-comps/pull-request/837#comment-187053