On Fri, Apr 10, 2020 at 8:06 AM Thierry Carrez <thierry@openstack.org> wrote:
Jeremy Stanley wrote:
On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote: [...]
* Create a job in openstack/project-config which inherits from it and supplies the secret for the ssh key which grants access to the openstack org so that no openstack project has to deal with that individually.
Something like the openstack-mirror-on-github job added by https://review.opendev.org/718479 but adding...
This secret would specify "^openstack/.*" as the project regex mentioned above to restrict it to official openstack projects.
Also adding nodeless operation and moving it to opendev/base-jobs.
Because as you pointed out in IRC, this job can actually be added to any project in-repo right now and since it ignored the namespace part of the repo name but hard-codes the destination to the openstack org, it allows a potential x/nova repo to fight with openstack/nova over replication to the same target and all the possible security implications thereof.
Reverted Thierry's PoC for the moment with https://review.opendev.org/718839 but we should repropose following the plan you've outlined.
* OpenStack projects would simply add that job to their post pipelines (either in-repo or in project-config). [...]
In project-config I guess, because we'll want to also replicate on tag events and implicit branch matching for branched projects will prevent that from working if added in-repo.
I think we should set that up (and confirm it works) before we do any mass replication job changes.
I absolutely agree. The idea was to test carefully before adding this to any non-test repos anyway.
That all sounds good to me. Regarding implementation, could someone who knows what they are doing create that nodeless secret-driven-regexped git-mirroring job in opendev/base-jobs? I'll be happy to take it from there :)
opendev/base-jobs work is done and landed: https://review.opendev.org/#/c/719032/ openstack/project-config base job is pending one more +W: https://review.opendev.org/#/c/719047/ once that is done, we should be good to go to test it and move towards it :)
-- Thierry Carrez (ttx)
-- Mohammed Naser — vexxhost ----------------------------------------------------- D. 514-316-8872 D. 800-910-1726 ext. 200 E. mnaser@vexxhost.com W. https://vexxhost.com