Il sab 29 dic 2018, 17:25 Stephen Connolly <stephen.alan.conno...@gmail.com>
ha scritto:

> On Sat 29 Dec 2018 at 16:20, Stephen Connolly <
> stephen.alan.conno...@gmail.com> wrote:
>
> >
> >
> > On Sat 29 Dec 2018 at 15:18, Enrico Olivelli <eolive...@gmail.com>
> wrote:
> >
> >> Il sab 29 dic 2018, 15:17 Stephen Connolly <
> >> stephen.alan.conno...@gmail.com>
> >> ha scritto:
> >>
> >> > There is a security issue with building PRs automatically.
> >> >
> >> > I can see about adding PR discovery to the existing ASF gitbox plugin,
> >> but
> >> > we’d need committers to ok the build and have reviewed the code as the
> >> PR
> >> > could contain attacks to be run from ASF hardware... which is why we
> >> don’t
> >> > build PRs at present.
> >> >
> >>
> >> Now I have to review and then push to ASF repo and I have to tell to the
> >> contributor that I will make CI start.
> >> IMHO a good tradeoff is:
> >> - a committer adds a 'test this please' comment, or '@asfbot test this
> >> please' and then a CI job start
> >> - this job updates the status line of the PR, with a link to the logs
> and
> >> the status of the job
> >>
> >> How does it sounds to you?
> >
> >
> > Like it’ll burn through the GitHub api rate limit like crazy.
>

I did not think we have 100 repos

> >
> > The committer goes to Jenkins and clicks the build button on the PR job
> > (which is sitting there ready and waiting), done.
> >
>
> Oh and before I forget, clicking build now I’m Jenkins will update the CI
> status in GitHub for the PR to say in progress and then provide the result
> when available.
>
>
> > Searching through comments on PRs to find commits with a magic comment
> > string that haven’t been built by Jenkins is certainly what would be
> > lovely... but right now it would burn the GitHub rate limit (which is
> 5,000
> > requests per hour across the whole ASF) right through.
> >
>
> To be clear, the hard part is efficiently finding “missed” comments and
> associating with the commit hash they belong to. We don’t want an approval
> to allow attack via an update pushed to the PR. So you have to walk all the
> comments and associate with the commit hash they applied to... gets tricky.
>

Yep, I understand, you are right.

Another option is to have a script to launch:

import-pr maven-assembly-plugin #567

Then the script + Jenkins:
- bind the pr to a JIRA by scanning git log
- push to ASF (changing 'committer') with a standard name (JIRA id)
- start a job
- add a github status line with a link to the logs
- bonus: the job will change the status line with green/red light

I already have such kind of script in my company (but for
bitbucket/JIRA/Jenkins and not for such a complex system like Maven CI),
but the hard part is the job which has to write the status line

Enrico


> We could maybe hijack approval state... but that allows merging by the
> author.
>

This part is not clear to me. Only 'commiters' can push to the repo.



>
> >
> >
> >>
> >> Enrico
> >>
> >>
> >> > Other projects at ASF probably missed this point in the video series
> >> > chronicling the development of the plugin...
> >> >
> >> > On Sat 29 Dec 2018 at 13:10, Enrico Olivelli <eolive...@gmail.com>
> >> wrote:
> >> >
> >> > > Hervè,
> >> > > This is the plugin
> >> > >
> >> > >
> >> >
> >>
> https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin?desktop=true&macroName=unmigrated-inline-wiki-markup
> >> > >
> >> > > I see our "maven-box" is using some special "Scan Apache Hosted Git
> >> > > Folder Triggers" source
> >> > > (https://builds.apache.org/job/maven-box/configure)
> >> > > In the Jenkins of my company in a "Multibranch Pipeline" I have a
> >> > > "Branch Sources" box with a "GitHub" option which lets me trigger
> >> > > builds by using PRs
> >> > >
> >> > >
> >> > > Enrico
> >> > >
> >> > > Il giorno sab 29 dic 2018 alle ore 13:43 Hervé BOUTEMY
> >> > > <herve.bout...@free.fr> ha scritto:
> >> > > >
> >> > > > Le samedi 29 décembre 2018, 12:40:20 CET Enrico Olivelli a écrit :
> >> > > > > Il sab 29 dic 2018, 12:37 Mickael Istria <mist...@redhat.com>
> ha
> >> > > scritto:
> >> > > > > > On Sat, Dec 29, 2018 at 12:01 PM Hervé BOUTEMY <
> >> > > herve.bout...@free.fr>
> >> > > > > >
> >> > > > > > wrote:
> >> > > > > > > But in both cases, currently, there is no automatic GitHub
> PR
> >> > > > > >
> >> > > > > > integration:
> >> > > > > > > Maven committers need to create a branch in the official
> >> > > repository to
> >> > > > > > > benefit
> >> > > > > > > from ASF Jenkins build
> >> > > > > >
> >> > > > > > Ah ok, I wasn't aware the GitHub repo was "unofficial" and
> >> couldn't
> >> > > be
> >> > > > > > used
> >> > > > > > to trigger builds. That sucks...
> >> > > > >
> >> > > > > Maven migrated to gitbox so actually github is an official repo
> >> for
> >> > > Maven.
> >> > > > > I see the same setup in Zookeeper and Bookkeeper and github pr
> >> plugin
> >> > > works
> >> > > > > like a charm (and I partecipated in setting it up)
> >> > > > oh great, that would be nice to have the same setup for Maven
> repos!
> >> > > >
> >> > > > >
> >> > > > > Enrico
> >> > > > >
> >> > > > > > Any idea how we could have GitHub PR reviews without this
> branch
> >> > > creation
> >> > > > > >
> >> > > > > > > by
> >> > > > > > > committers, be it at ASF or somewhere else?
> >> > > > > >
> >> > > > > > Using TravisCI could be a solution.
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> ---------------------------------------------------------------------
> >> > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> > > > For additional commands, e-mail: dev-h...@maven.apache.org
> >> > > >
> >> > >
> >> > >
> ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> > > For additional commands, e-mail: dev-h...@maven.apache.org
> >> > >
> >> > > --
> >> > Sent from my phone
> >> >
> >> --
> >>
> >>
> >> -- Enrico Olivelli
> >>
> > --
> > Sent from my phone
> >
> --
> Sent from my phone
>
-- 


-- Enrico Olivelli

Reply via email to