[all][summary] Curating the openstack org on GitHub
thierry at openstack.org
Fri Apr 10 12:02:29 UTC 2020
Jeremy Stanley wrote:
> On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote:
>> * Create a job in openstack/project-config which inherits from it and
>> supplies the secret for the ssh key which grants access to the
>> openstack org so that no openstack project has to deal with that
> Something like the openstack-mirror-on-github job added by
> https://review.opendev.org/718479 but adding...
>> This secret would specify "^openstack/.*" as the project regex
>> mentioned above to restrict it to official openstack projects.
Also adding nodeless operation and moving it to opendev/base-jobs.
> Because as you pointed out in IRC, this job can actually be added to
> any project in-repo right now and since it ignored the namespace
> part of the repo name but hard-codes the destination to the
> openstack org, it allows a potential x/nova repo to fight with
> openstack/nova over replication to the same target and all the
> possible security implications thereof.
> Reverted Thierry's PoC for the moment with
> https://review.opendev.org/718839 but we should repropose following
> the plan you've outlined.
>> * OpenStack projects would simply add that job to their post pipelines
>> (either in-repo or in project-config).
> In project-config I guess, because we'll want to also replicate on
> tag events and implicit branch matching for branched projects will
> prevent that from working if added in-repo.
>> I think we should set that up (and confirm it works) before we do any
>> mass replication job changes.
> I absolutely agree. The idea was to test carefully before adding
> this to any non-test repos anyway.
That all sounds good to me. Regarding implementation, could someone who
knows what they are doing create that nodeless secret-driven-regexped
git-mirroring job in opendev/base-jobs? I'll be happy to take it from
Thierry Carrez (ttx)
More information about the openstack-discuss