Yes, I thought that whitelisting apache organization will do the trick, but apparently, it doesn't. Actually, it makes sense as we want to allow only beam committers and not all apache committers. I don't know the implications of membership in the apache github organization, but you for instance are not there :) Neither is Ahmet.
Therefore there's nothing wrong with the Ghprb plugin, it correctly forbade triggering. From my investigation, the "beam-committers" GitHub team (which is under the apache org) is the list of people that should be allowed. But firstly, you cant whitelist a team with Ghprb. There's a ticket for that, open for 5 years <https://github.com/jenkinsci/ghprb-plugin/issues/160>. I could implement that but, secondly, the team is secret. I can't even see it. Even asfbot doesn't have permission to see it. You may ask, how it worked before, because on the builds.apache.org somehow only committers were allowed to trigger PR builds. It appeared that Infra created a webhook relay. It's configured here <https://github.com/apache/infrastructure-puppet/blob/deployment/modules/gitbox/files/conf/relay.yaml> and it filters out all the non-committers events. I wish I had known that before as it was also the reason for different issues during the migration. Anyway, it would be hard to use that mechanism in our case as we want to configure it depending on the job. There's a publicly available source of committers list - it's LDAP. I've tested it and it allows anonymous connection and provides the list of the committers as well as the github usernames. My current idea is to read this from LDAP as a part of the seed job and configure the jobs with the apache committers present on the ghprb whitelist. Hope that I didn't miss anything ;) It isn't that easy to investigate that kind of issues with my poor privileges ;) Regards, Damian On Thu, Jul 23, 2020 at 6:52 PM Udi Meiri <eh...@google.com> wrote: > Thanks Damian! I saw that the config also has this: > orgWhitelist(['apache']) > Shouldn't that be enough to allow all Apache committers? > > I traced the code for the membership check here: > > https://github.com/jenkinsci/ghprb-plugin/blob/4e86ed47a96a01eeaa51a479ff604252109635f6/src/main/java/org/jenkinsci/plugins/ghprb/GhprbGitHub.java#L27 > Is there a way to see these logs? > > > On Thu, Jul 23, 2020 at 7:08 AM Damian Gadomski < > damian.gadom...@polidea.com> wrote: > >> Hi, >> >> You are right, the current behavior is wrong, I'm currently working to >> fix it asap. Our intention was to disable that only for non-committers. >> >> As a workaround, as a committer, you could manually add yourself (your >> GitHub username) to the whitelist of the SeedJob configuration: >> https://ci-beam.apache.org/job/beam_SeedJob/configure >> Then, your comment "Run Seed Job" will trigger the build. I've already >> manually triggered it for you that way. >> >> Of course, it will only work until the seed job gets executed - it will >> then override the whitelist with an empty one. >> >> [image: Selection_408.png] >> >> As a target solution, I'm planning to fetch the list of beam committers >> from LDAP and automatically add them to the whitelist above as a part of >> the seed job. I'll keep you updated about the progress. >> >> Regards, >> Damian >> >> >> On Wed, Jul 22, 2020 at 11:03 PM Ahmet Altay <al...@google.com> wrote: >> >>> +Damian Gadomski <damian.gadom...@polidea.com>, it might be related to >>> this change: https://github.com/apache/beam/pull/12319. >>> >>> /cc +Tyson Hamilton <tyso...@google.com> >>> >>> On Wed, Jul 22, 2020 at 1:17 PM Udi Meiri <eh...@google.com> wrote: >>> >>>> HI, >>>> I'm trying to test a groovy change but I can't seem to trigger the seed >>>> job. It worked yesterday so I'm not sure what changed. >>>> >>>> https://github.com/apache/beam/pull/12326 >>>> >>>>