On Thu, Jul 23, 2020 at 1:11 PM Damian Gadomski <damian.gadom...@polidea.com> wrote:
> Yes, I thought that whitelisting apache organization will do the trick, > but apparently, it doesn't. Actually, it makes sense as we want to allow > only beam committers and not all apache committers. I don't know the > implications of membership in the apache github organization, but you for > instance are not there :) Neither is Ahmet. > This may have to do with registering alternative email addresses and GitHub accounts via whimsy.apache.org. If you are able to commit, then you are set up via gitbox.apache.org. Kenn > Therefore there's nothing wrong with the Ghprb plugin, it correctly > forbade triggering. From my investigation, the "beam-committers" GitHub > team (which is under the apache org) is the list of people that should be > allowed. But firstly, you cant whitelist a team with Ghprb. There's a > ticket for that, open for 5 years > <https://github.com/jenkinsci/ghprb-plugin/issues/160>. I could implement > that but, secondly, the team is secret. I can't even see it. Even asfbot > doesn't have permission to see it. > > You may ask, how it worked before, because on the builds.apache.org > somehow only committers were allowed to trigger PR builds. It appeared that > Infra created a webhook relay. It's configured here > <https://github.com/apache/infrastructure-puppet/blob/deployment/modules/gitbox/files/conf/relay.yaml> > and > it filters out all the non-committers events. I wish I had known that > before as it was also the reason for different issues during the migration. > Anyway, it would be hard to use that mechanism in our case as we want to > configure it depending on the job. > > > There's a publicly available source of committers list - it's LDAP. I've > tested it and it allows anonymous connection and provides the list of the > committers as well as the github usernames. My current idea is to read this > from LDAP as a part of the seed job and configure the jobs with the apache > committers present on the ghprb whitelist. > > > Hope that I didn't miss anything ;) It isn't that easy to investigate that > kind of issues with my poor privileges ;) > > > Regards, > > Damian > > > On Thu, Jul 23, 2020 at 6:52 PM Udi Meiri <eh...@google.com> wrote: > >> Thanks Damian! I saw that the config also has this: >> orgWhitelist(['apache']) >> Shouldn't that be enough to allow all Apache committers? >> >> I traced the code for the membership check here: >> >> https://github.com/jenkinsci/ghprb-plugin/blob/4e86ed47a96a01eeaa51a479ff604252109635f6/src/main/java/org/jenkinsci/plugins/ghprb/GhprbGitHub.java#L27 >> Is there a way to see these logs? >> >> >> On Thu, Jul 23, 2020 at 7:08 AM Damian Gadomski < >> damian.gadom...@polidea.com> wrote: >> >>> Hi, >>> >>> You are right, the current behavior is wrong, I'm currently working to >>> fix it asap. Our intention was to disable that only for non-committers. >>> >>> As a workaround, as a committer, you could manually add yourself (your >>> GitHub username) to the whitelist of the SeedJob configuration: >>> https://ci-beam.apache.org/job/beam_SeedJob/configure >>> Then, your comment "Run Seed Job" will trigger the build. I've already >>> manually triggered it for you that way. >>> >>> Of course, it will only work until the seed job gets executed - it will >>> then override the whitelist with an empty one. >>> >>> [image: Selection_408.png] >>> >>> As a target solution, I'm planning to fetch the list of beam committers >>> from LDAP and automatically add them to the whitelist above as a part of >>> the seed job. I'll keep you updated about the progress. >>> >>> Regards, >>> Damian >>> >>> >>> On Wed, Jul 22, 2020 at 11:03 PM Ahmet Altay <al...@google.com> wrote: >>> >>>> +Damian Gadomski <damian.gadom...@polidea.com>, it might be related to >>>> this change: https://github.com/apache/beam/pull/12319. >>>> >>>> /cc +Tyson Hamilton <tyso...@google.com> >>>> >>>> On Wed, Jul 22, 2020 at 1:17 PM Udi Meiri <eh...@google.com> wrote: >>>> >>>>> HI, >>>>> I'm trying to test a groovy change but I can't seem to trigger the >>>>> seed job. It worked yesterday so I'm not sure what changed. >>>>> >>>>> https://github.com/apache/beam/pull/12326 >>>>> >>>>>
