Actions
action #168541
openEnsure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise
Start date:
2024-10-18
Due date:
% Done:
0%
Estimated time:
Description
Motivation¶
I learned another idea (from discussion with egotthold, jdsn, eroca) how to deploy products in a trusted way from git but as quickly as possible: Listen to GitHub events as documented on https://docs.github.com/de/rest/activity/events?apiVersion=2022-11-28, x-poll long running rest request, sync automatically if SUSE employee merged on GitHub, maybe with approved signing key, then sync automatically to internal repo, otherwise ask for approval
Acceptance criteria¶
- AC1: We know how "last signed commit signed by trusted SUSE developers" would help us regarding CC-compliant deployments
- AC2: We know how to use such approach for our products
Suggestion¶
- Research how https://github.com/openSUSE/github-pr is solving that and use it or learn from it for our own approach
- Come up with proof-of-concept for "Listen to GitHub events as documented on https://docs.github.com/de/rest/activity/events?apiVersion=2022-11-28, x-poll long running rest request, sync automatically if SUSE employee merged on GitHub, maybe with approved signing key, then sync automatically to internal repo, otherwise ask for approval", maybe for https://github.com/openSUSE/qem-bot/, see https://gitlab.suse.de/qa-maintenance/bot-ng/ and #168427
Updated by okurz 6 months ago
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M
- Status changed from New to Workable
Updated by szarate 6 months ago
See also https://github.com/SUSE/pistis which will likely be implemented with codeowners for the test distribution
Updated by okurz about 2 months ago
- Status changed from Workable to Blocked
- Assignee set to okurz
#168469
Updated by okurz 20 days ago
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise
- Status changed from Blocked to New
- Assignee deleted (
okurz)
Updated by gpathak 14 days ago ยท Edited
Discussed in daily, need more clarification about following points:
- Seems like this ticket is talking about the deploy step in gitlab-CI pipeline
- the deployment should happen automatically in case the latest commit is signed (which is happening right now)
- the deployment stage or gitlab CI should send an email or notification in slack channel to ask for manual approval if the commit is not signed and cannot be verified
- maybe the person should review the changes (up to how many commits/changes?) once again before hitting deploy
Actions