Open Stack

On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote:
> Thierry Carrez <thierry at openstack.org> writes:
[...]
> * Create a job in openstack/project-config which inherits from it and
>   supplies the secret for the ssh key which grants access to the
>   openstack org so that no openstack project has to deal with that
>   individually.

Something like the openstack-mirror-on-github job added by
https://review.opendev.org/718479 but adding...

>   This secret would specify "^openstack/.*" as the project regex
>   mentioned above to restrict it to official openstack projects.

Because as you pointed out in IRC, this job can actually be added to
any project in-repo right now and since it ignored the namespace
part of the repo name but hard-codes the destination to the
openstack org, it allows a potential x/nova repo to fight with
openstack/nova over replication to the same target and all the
possible security implications thereof.

Reverted Thierry's PoC for the moment with
https://review.opendev.org/718839 but we should repropose following
the plan you've outlined.

> * OpenStack projects would simply add that job to their post pipelines
>   (either in-repo or in project-config).
[...]

In project-config I guess, because we'll want to also replicate on
tag events and implicit branch matching for branched projects will
prevent that from working if added in-repo.

> I think we should set that up (and confirm it works) before we do any
> mass replication job changes.

I absolutely agree. The idea was to test carefully before adding
this to any non-test repos anyway.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200410/d20051fe/attachment.sig>