On Sat 29 Dec 2018 at 16:20, Stephen Connolly < stephen.alan.conno...@gmail.com> wrote:
> > > On Sat 29 Dec 2018 at 15:18, Enrico Olivelli <eolive...@gmail.com> wrote: > >> Il sab 29 dic 2018, 15:17 Stephen Connolly < >> stephen.alan.conno...@gmail.com> >> ha scritto: >> >> > There is a security issue with building PRs automatically. >> > >> > I can see about adding PR discovery to the existing ASF gitbox plugin, >> but >> > we’d need committers to ok the build and have reviewed the code as the >> PR >> > could contain attacks to be run from ASF hardware... which is why we >> don’t >> > build PRs at present. >> > >> >> Now I have to review and then push to ASF repo and I have to tell to the >> contributor that I will make CI start. >> IMHO a good tradeoff is: >> - a committer adds a 'test this please' comment, or '@asfbot test this >> please' and then a CI job start >> - this job updates the status line of the PR, with a link to the logs and >> the status of the job >> >> How does it sounds to you? > > > Like it’ll burn through the GitHub api rate limit like crazy. > > The committer goes to Jenkins and clicks the build button on the PR job > (which is sitting there ready and waiting), done. > Oh and before I forget, clicking build now I’m Jenkins will update the CI status in GitHub for the PR to say in progress and then provide the result when available. > Searching through comments on PRs to find commits with a magic comment > string that haven’t been built by Jenkins is certainly what would be > lovely... but right now it would burn the GitHub rate limit (which is 5,000 > requests per hour across the whole ASF) right through. > To be clear, the hard part is efficiently finding “missed” comments and associating with the commit hash they belong to. We don’t want an approval to allow attack via an update pushed to the PR. So you have to walk all the comments and associate with the commit hash they applied to... gets tricky. We could maybe hijack approval state... but that allows merging by the author. > > >> >> Enrico >> >> >> > Other projects at ASF probably missed this point in the video series >> > chronicling the development of the plugin... >> > >> > On Sat 29 Dec 2018 at 13:10, Enrico Olivelli <eolive...@gmail.com> >> wrote: >> > >> > > Hervè, >> > > This is the plugin >> > > >> > > >> > >> https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin?desktop=true¯oName=unmigrated-inline-wiki-markup >> > > >> > > I see our "maven-box" is using some special "Scan Apache Hosted Git >> > > Folder Triggers" source >> > > (https://builds.apache.org/job/maven-box/configure) >> > > In the Jenkins of my company in a "Multibranch Pipeline" I have a >> > > "Branch Sources" box with a "GitHub" option which lets me trigger >> > > builds by using PRs >> > > >> > > >> > > Enrico >> > > >> > > Il giorno sab 29 dic 2018 alle ore 13:43 Hervé BOUTEMY >> > > <herve.bout...@free.fr> ha scritto: >> > > > >> > > > Le samedi 29 décembre 2018, 12:40:20 CET Enrico Olivelli a écrit : >> > > > > Il sab 29 dic 2018, 12:37 Mickael Istria <mist...@redhat.com> ha >> > > scritto: >> > > > > > On Sat, Dec 29, 2018 at 12:01 PM Hervé BOUTEMY < >> > > herve.bout...@free.fr> >> > > > > > >> > > > > > wrote: >> > > > > > > But in both cases, currently, there is no automatic GitHub PR >> > > > > > >> > > > > > integration: >> > > > > > > Maven committers need to create a branch in the official >> > > repository to >> > > > > > > benefit >> > > > > > > from ASF Jenkins build >> > > > > > >> > > > > > Ah ok, I wasn't aware the GitHub repo was "unofficial" and >> couldn't >> > > be >> > > > > > used >> > > > > > to trigger builds. That sucks... >> > > > > >> > > > > Maven migrated to gitbox so actually github is an official repo >> for >> > > Maven. >> > > > > I see the same setup in Zookeeper and Bookkeeper and github pr >> plugin >> > > works >> > > > > like a charm (and I partecipated in setting it up) >> > > > oh great, that would be nice to have the same setup for Maven repos! >> > > > >> > > > > >> > > > > Enrico >> > > > > >> > > > > > Any idea how we could have GitHub PR reviews without this branch >> > > creation >> > > > > > >> > > > > > > by >> > > > > > > committers, be it at ASF or somewhere else? >> > > > > > >> > > > > > Using TravisCI could be a solution. >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> --------------------------------------------------------------------- >> > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > > > For additional commands, e-mail: dev-h...@maven.apache.org >> > > > >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > > For additional commands, e-mail: dev-h...@maven.apache.org >> > > >> > > -- >> > Sent from my phone >> > >> -- >> >> >> -- Enrico Olivelli >> > -- > Sent from my phone > -- Sent from my phone
