[all][summary] Curating the openstack org on GitHub
Mohammed Naser
mnaser at vexxhost.com
Fri Apr 10 18:38:50 UTC 2020
On Fri, Apr 10, 2020 at 8:06 AM Thierry Carrez <thierry at openstack.org> wrote:
>
> Jeremy Stanley wrote:
> > On 2020-04-09 16:53:09 -0700 (-0700), James E. Blair wrote:
> > [...]
> >> * Create a job in openstack/project-config which inherits from it and
> >> supplies the secret for the ssh key which grants access to the
> >> openstack org so that no openstack project has to deal with that
> >> individually.
> >
> > Something like the openstack-mirror-on-github job added by
> > https://review.opendev.org/718479 but adding...
> >
> >> This secret would specify "^openstack/.*" as the project regex
> >> mentioned above to restrict it to official openstack projects.
>
> Also adding nodeless operation and moving it to opendev/base-jobs.
>
> > Because as you pointed out in IRC, this job can actually be added to
> > any project in-repo right now and since it ignored the namespace
> > part of the repo name but hard-codes the destination to the
> > openstack org, it allows a potential x/nova repo to fight with
> > openstack/nova over replication to the same target and all the
> > possible security implications thereof.
> >
> > Reverted Thierry's PoC for the moment with
> > https://review.opendev.org/718839 but we should repropose following
> > the plan you've outlined.
> >
> >> * OpenStack projects would simply add that job to their post pipelines
> >> (either in-repo or in project-config).
> > [...]
> >
> > In project-config I guess, because we'll want to also replicate on
> > tag events and implicit branch matching for branched projects will
> > prevent that from working if added in-repo.
> >
> >> I think we should set that up (and confirm it works) before we do any
> >> mass replication job changes.
> >
> > I absolutely agree. The idea was to test carefully before adding
> > this to any non-test repos anyway.
>
> That all sounds good to me. Regarding implementation, could someone who
> knows what they are doing create that nodeless secret-driven-regexped
> git-mirroring job in opendev/base-jobs? I'll be happy to take it from
> there :)
opendev/base-jobs work is done and landed:
https://review.opendev.org/#/c/719032/
openstack/project-config base job is pending one more +W:
https://review.opendev.org/#/c/719047/
once that is done, we should be good to go to test it and move towards it :)
> --
> Thierry Carrez (ttx)
>
--
Mohammed Naser — vexxhost
-----------------------------------------------------
D. 514-316-8872
D. 800-910-1726 ext. 200
E. mnaser at vexxhost.com
W. https://vexxhost.com
More information about the openstack-discuss
mailing list