action #179515
openProperly tested and testable application to checkout last signed commit signed by trusted developers
0%
Description
Motivation¶
With #168469 we have found an acceptable way to checkout the last verified+trusted git commit but we already found problems that are hard to debug with #179503 . Also because we want to reuse the code in other cases like in #168427 instead of continuing the "bash code snippets in gitlab CI" looking forward we should properly develop software and with that I mean a proper open source project with a test-driven developed python application and according tests, packaged in OBS, synced to IBS and build a fully SUSE controlled container within a trusted environment and only accept changes after manual verification. Wait, are we running in circles now?
Acceptance criteria¶
- AC1: A 100% covered public free software project exists that enables to checkout last signed commit signed by trusted developers
Suggestions¶
- Does https://github.com/tochev/git-trustcheck help?
- Put https://gitlab.suse.de/qa-maintenance/bot-ng/-/blob/ce973ed64af317b758d83364a5b81f7c83b820c7/.gitlab-ci.yml#L40 into a separate public free software project, write tests, e.g. in pytest, and then refactor the bash code into python. Ensure 100% statement coverage and add all necessary boiler plate, provide packaging instructions, add to OBS with automatic update services, submit to devel:languages:python, submit to openSUSE:Factory and use in a Tumbleweed based image (or the long route with letting it be synced to IBS, submit in there to another trusted project with human review of SRs, accept, build containers based on that, etc.)
Updated by okurz 5 days ago
- Project changed from 46 to QA (public)
- Subject changed from Ensure deployments of CC-critical tooling are under full SUSE control - Only use "last signed commit signed by trusted SUSE developers" size:S to Properly tested and testable application to checkout last signed commit signed by trusted SUSE developers
- Category deleted (
Infrastructure)
Updated by okurz 4 days ago
I now simplified the code in https://gitlab.suse.de/qa-maintenance/bot-ng/-/blob/master/.gitlab-ci.yml so that currently we have the equivalent of
git log --committer="suse" origin/master --pretty="%cl" | sort | uniq | while read -r name; do
uid=$(curl -s --fail-with-body --request GET --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" "https://gitlab.suse.de/api/v4/users?username=$name" | jq -r '.[].id?') &&
curl -s --fail-with-body --request GET --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" "https://gitlab.suse.de/api/v4/users/$uid/gpg_keys" | jq -r '.[].key?' >> /tmp/$name.pub &&
gpg --show-keys /tmp/$name.pub ||:;
gpg -q --import /tmp/$name.pub ||:;
done
git checkout $(git log origin/master --pretty="%G? %h" | grep -m 1 -oP '(?<=U ).*')
I think we can also wait a bit from experiences in other projects how more generic code could look like
Updated by gpathak 4 days ago
okurz wrote in #note-4:
I now simplified the code in https://gitlab.suse.de/qa-maintenance/bot-ng/-/blob/master/.gitlab-ci.yml so that currently we have the equivalent of
git log --committer="suse" origin/master --pretty="%cl" | sort | uniq | while read -r name; do uid=$(curl -s --fail-with-body --request GET --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" "https://gitlab.suse.de/api/v4/users?username=$name" | jq -r '.[].id?') && curl -s --fail-with-body --request GET --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" "https://gitlab.suse.de/api/v4/users/$uid/gpg_keys" | jq -r '.[].key?' >> /tmp/$name.pub && gpg --show-keys /tmp/$name.pub ||:; gpg -q --import /tmp/$name.pub ||:; done git checkout $(git log origin/master --pretty="%G? %h" | grep -m 1 -oP '(?<=U ).*')I think we can also wait a bit from experiences in other projects how more generic code could look like
Just one minor comment, I think if gpg --show-keys /tmp/$name.pub fails (exit code non-zero) then we should not call gpg -q --import /tmp/$name.pub
Updated by okurz 4 days ago
Just one minor comment, I think if
gpg --show-keys /tmp/$name.pubfails (exit code non-zero) then we should not callgpg -q --import /tmp/$name.pub
Yeah, that was exactly the part that was troublesome yesterday as it happened that the last suse user identified in the git commits does not have a key on gitlab failing the complete pipeline but we need the loop to continue and then continue to actually identify a commit