Actions
action #168541
open[spike][timeboxed:4h] Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:S
Start date:
2024-10-18
Due date:
% Done:
0%
Estimated time:
Description
Motivation¶
We already automatically deploy e.g. qem-bot based on the last signed+trusted commit. We should extend that process to cover cases where there are not (yet) trusted commits, e.g. by external contributors or dependabot. How to make sure we deploy such states of git repositories when we actually want to trust such commits?
Goals¶
- G1: We have an approach extending what we use in https://gitlab.suse.de/qe/git-sha-verify/ but for optional, manually approved later commit
- G2: We know how to use such approach for our products
Suggestion¶
- Extend https://gitlab.suse.de/qe/git-sha-verify/ to have a "manual" CI pipeline step to update a git repo to a later state explicitly based on manual review but we would need to remember the state. Maybe the best would actually be just empty signed commits in the original repository … or package submissions.
Updated by okurz 7 months ago
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M
- Status changed from New to Workable
Updated by szarate 7 months ago
See also https://github.com/SUSE/pistis which will likely be implemented with codeowners for the test distribution
Updated by okurz about 2 months ago
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise
- Status changed from Blocked to New
- Assignee deleted (
okurz)
Updated by gpathak about 2 months ago · Edited
Discussed in daily, need more clarification about following points:
- Seems like this ticket is talking about the deploy step in gitlab-CI pipeline
- the deployment should happen automatically in case the latest commit is signed (which is happening right now)
- the deployment stage or gitlab CI should send an email or notification in slack channel to ask for manual approval if the commit is not signed and cannot be verified
- maybe the person should review the changes (up to how many commits/changes?) once again before hitting deploy
Updated by okurz about 1 month ago
- Target version changed from Tools - Next to Ready
Updated by okurz 3 days ago
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise to [spike][timeboxed:4h] Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:S
- Description updated (diff)
- Status changed from New to Workable
Actions