action #168541
open
[spike][timeboxed:4h] Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:S
Added by okurz 7 months ago.
Updated 4 days ago.
Description
Motivation¶
We already automatically deploy e.g. qem-bot based on the last signed+trusted commit. We should extend that process to cover cases where there are not (yet) trusted commits, e.g. by external contributors or dependabot. How to make sure we deploy such states of git repositories when we actually want to trust such commits?
Goals¶
Suggestion¶
- Extend https://gitlab.suse.de/qe/git-sha-verify/ to have a "manual" CI pipeline step to update a git repo to a later state explicitly based on manual review but we would need to remember the state. Maybe the best would actually be just empty signed commits in the original repository … or package submissions.
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M
- Status changed from New to Workable
- Target version changed from Tools - Next to Ready
- Target version changed from Ready to Tools - Next
- Status changed from Workable to Blocked
- Assignee set to okurz
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:M to Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise
- Status changed from Blocked to New
- Assignee deleted (
okurz)
Discussed in daily, need more clarification about following points:
- Seems like this ticket is talking about the deploy step in gitlab-CI pipeline
- the deployment should happen automatically in case the latest commit is signed (which is happening right now)
- the deployment stage or gitlab CI should send an email or notification in slack channel to ask for manual approval if the commit is not signed and cannot be verified
- maybe the person should review the changes (up to how many commits/changes?) once again before hitting deploy
- Target version changed from Tools - Next to Ready
- Target version changed from Ready to Tools - Next
- Priority changed from Normal to High
- Target version changed from Tools - Next to Ready
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise to [spike][timeboxed:4h] Ensure deployments of CC-critical tooling are under full SUSE control - Automatically deploy products with last approve/commit by SUSE employees, ask for approval otherwise size:S
- Description updated (diff)
- Status changed from New to Workable
Also available in: Atom
PDF