[all][summary] Curating the openstack org on GitHub
James E. Blair
corvus at inaugust.com
Thu Apr 9 23:53:09 UTC 2020
Thierry Carrez <thierry at openstack.org> writes:
> OK, so to summarize, the now-proposed plan is to:
> 0. Create an openstack-archive organization on GitHub before some
> org-squatter steals it [DONE]
> 1. Build a list of official openstack repositories, not forgetting to
> include SIG, board and UC-owned ones
> 2. Remove openstack namespace-wide mirroring, replace it with
> repo-specific jobs for official repositories
Mohammed was asking about how to make this more efficient using nodeless
jobs; here's an idea:
We should be able to add a nodeless job in one of the trusted repos
(either opendev/base-jobs or openstack/project-config) and users can
supply a secret in the repo. That will reduce the complexity and
improve the efficiency (since the push happens from the executors).
* Create such a job and add it to opendev/base-jobs so it's available to
It should accept a secret that not only has an ssh key but also a
regex to apply to the project to determine if that project is allowed
to use the secret and/or what the target project name should be. This
can be used to mitigate the fact that there are non-openstack projects
in the openstack zuul tenant. The documentation promote jobs have
* Create a job in openstack/project-config which inherits from it and
supplies the secret for the ssh key which grants access to the
openstack org so that no openstack project has to deal with that
This secret would specify "^openstack/.*" as the project regex
mentioned above to restrict it to official openstack projects.
* OpenStack projects would simply add that job to their post pipelines
(either in-repo or in project-config).
* Any non-openstack project can use the job from opendev/base-jobs and
provide their own secret.
I think we should set that up (and confirm it works) before we do any
mass replication job changes.
More information about the openstack-discuss