Open Stack

Thierry Carrez <thierry at openstack.org> writes:

> OK, so to summarize, the now-proposed plan is to:
>
> 0. Create an openstack-archive organization on GitHub before some
> org-squatter steals it [DONE]
>
> 1. Build a list of official openstack repositories, not forgetting to
> include SIG, board and UC-owned ones
>
> 2. Remove openstack namespace-wide mirroring, replace it with
> repo-specific jobs for official repositories

Mohammed was asking about how to make this more efficient using nodeless
jobs; here's an idea:

We should be able to add a nodeless job in one of the trusted repos
(either opendev/base-jobs or openstack/project-config) and users can
supply a secret in the repo.  That will reduce the complexity and
improve the efficiency (since the push happens from the executors).

I propose:

* Create such a job and add it to opendev/base-jobs so it's available to
  every tenant.

  It should accept a secret that not only has an ssh key but also a
  regex to apply to the project to determine if that project is allowed
  to use the secret and/or what the target project name should be.  This
  can be used to mitigate the fact that there are non-openstack projects
  in the openstack zuul tenant.  The documentation promote jobs have
  something similar.

* Create a job in openstack/project-config which inherits from it and
  supplies the secret for the ssh key which grants access to the
  openstack org so that no openstack project has to deal with that
  individually.

  This secret would specify "^openstack/.*" as the project regex
  mentioned above to restrict it to official openstack projects.

* OpenStack projects would simply add that job to their post pipelines
  (either in-repo or in project-config).

* Any non-openstack project can use the job from opendev/base-jobs and
  provide their own secret.

I think we should set that up (and confirm it works) before we do any
mass replication job changes.

-Jim