Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup github branch protection to verify required tags #9662

Open
2 tasks
marmarek opened this issue Dec 20, 2024 · 0 comments
Open
2 tasks

Setup github branch protection to verify required tags #9662

marmarek opened this issue Dec 20, 2024 · 0 comments
Assignees
Labels
C: infrastructure P: default Priority: default. Default priority for new issues, to be replaced given sufficient information.

Comments

@marmarek
Copy link
Member

How to file a helpful issue

The problem you're addressing (if any)

Github doesn't enforce our signed tags requirements, it's enforced only later at package fetch time by qubes-builderv2. This means, a maintainer can push to a branch forgetting a tag, and may not spot the mistake until somebody notices qubes-builderv2 fails to fetch it.

The solution you'd like

Add branch protection rules in github that enforce the check. This way, the push will be blocked if required tag(s) is missing. This will be even more relevant when requiring tags from multiple maintainers (see #7739).

Note it does not move signature check to github, it's just a hint to detect missing tags earlier.

Note, technically it will require pushing tags and commits to some branch before pushing to main/release. But it is already the case for many repositories - changes are pushed to "main-staging" branch and there is a bot moving it to "main" only after CI completes. This change proposes to kinda extend the CI check to verify the tag(s) too.

The value to a user, and who that user might be

This is mostly for maintainers to have better feedback from CI. As a side effect, this should also block the "merge" button on pull request web interface.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

  • Add a bot that calls qubes-builderv2 package fetch and reports result as github commit status
  • Make the status check required on main/release branches
@marmarek marmarek added T: enhancement P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. C: infrastructure labels Dec 20, 2024
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Dec 20, 2024
It's useful to fetch just git repos, but not distfiles. It's useful when
fetching all repositories, but fetching actual files only when building.
Especially saves a lot of space from kernel tarballs.

And also, useful when using builder just to verify sources.

QubesOS/qubes-issues#9662
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Dec 20, 2024
It's useful to fetch just git repos, but not distfiles. It's useful when
fetching all repositories, but fetching actual files only when building.
Especially saves a lot of space from kernel tarballs.

And also, useful when using builder just to verify sources.

QubesOS/qubes-issues#9662
@marmarek marmarek self-assigned this Dec 21, 2024
marmarek added a commit to QubesOS/qubes-builderv2 that referenced this issue Jan 10, 2025
* origin/pr/166:
  ci: enable cache jobs on regular "main" pipelines
  Fix handling "branch" set to a commit hash
  executors/local: try cleanup as normal user first
  get-and-verify-source: fix handling non-standard PATH
  Add skip-files-fetch option

QubesOS/qubes-issues#9662
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: infrastructure P: default Priority: default. Default priority for new issues, to be replaced given sufficient information.
Projects
None yet
Development

No branches or pull requests

2 participants