Thierry Carrez <thierry@openstack.org> writes:
OK, so to summarize, the now-proposed plan is to:
0. Create an openstack-archive organization on GitHub before some org-squatter steals it [DONE]
1. Build a list of official openstack repositories, not forgetting to include SIG, board and UC-owned ones
2. Remove openstack namespace-wide mirroring, replace it with repo-specific jobs for official repositories
Mohammed was asking about how to make this more efficient using nodeless jobs; here's an idea: We should be able to add a nodeless job in one of the trusted repos (either opendev/base-jobs or openstack/project-config) and users can supply a secret in the repo. That will reduce the complexity and improve the efficiency (since the push happens from the executors). I propose: * Create such a job and add it to opendev/base-jobs so it's available to every tenant. It should accept a secret that not only has an ssh key but also a regex to apply to the project to determine if that project is allowed to use the secret and/or what the target project name should be. This can be used to mitigate the fact that there are non-openstack projects in the openstack zuul tenant. The documentation promote jobs have something similar. * Create a job in openstack/project-config which inherits from it and supplies the secret for the ssh key which grants access to the openstack org so that no openstack project has to deal with that individually. This secret would specify "^openstack/.*" as the project regex mentioned above to restrict it to official openstack projects. * OpenStack projects would simply add that job to their post pipelines (either in-repo or in project-config). * Any non-openstack project can use the job from opendev/base-jobs and provide their own secret. I think we should set that up (and confirm it works) before we do any mass replication job changes. -Jim