[all][summary] Curating the openstack org on GitHub
fungi at yuggoth.org
Fri Apr 10 00:16:08 UTC 2020
On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote:
> Thierry Carrez <thierry at openstack.org> writes:
> * Create a job in openstack/project-config which inherits from it and
> supplies the secret for the ssh key which grants access to the
> openstack org so that no openstack project has to deal with that
Something like the openstack-mirror-on-github job added by
https://review.opendev.org/718479 but adding...
> This secret would specify "^openstack/.*" as the project regex
> mentioned above to restrict it to official openstack projects.
Because as you pointed out in IRC, this job can actually be added to
any project in-repo right now and since it ignored the namespace
part of the repo name but hard-codes the destination to the
openstack org, it allows a potential x/nova repo to fight with
openstack/nova over replication to the same target and all the
possible security implications thereof.
Reverted Thierry's PoC for the moment with
https://review.opendev.org/718839 but we should repropose following
the plan you've outlined.
> * OpenStack projects would simply add that job to their post pipelines
> (either in-repo or in project-config).
In project-config I guess, because we'll want to also replicate on
tag events and implicit branch matching for branched projects will
prevent that from working if added in-repo.
> I think we should set that up (and confirm it works) before we do any
> mass replication job changes.
I absolutely agree. The idea was to test carefully before adding
this to any non-test repos anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the openstack-discuss