Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup github branch protection to verify required tags #9662

Open
2 tasks
marmarek opened this issue Dec 20, 2024 · 0 comments
Open
2 tasks

Setup github branch protection to verify required tags #9662

marmarek opened this issue Dec 20, 2024 · 0 comments
Labels
C: infrastructure P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@marmarek
Copy link
Member

How to file a helpful issue

The problem you're addressing (if any)

Github doesn't enforce our signed tags requirements, it's enforced only later at package fetch time by qubes-builderv2. This means, a maintainer can push to a branch forgetting a tag, and may not spot the mistake until somebody notices qubes-builderv2 fails to fetch it.

The solution you'd like

Add branch protection rules in github that enforce the check. This way, the push will be blocked if required tag(s) is missing. This will be even more relevant when requiring tags from multiple maintainers (see #7739).

Note it does not move signature check to github, it's just a hint to detect missing tags earlier.

Note, technically it will require pushing tags and commits to some branch before pushing to main/release. But it is already the case for many repositories - changes are pushed to "main-staging" branch and there is a bot moving it to "main" only after CI completes. This change proposes to kinda extend the CI check to verify the tag(s) too.

The value to a user, and who that user might be

This is mostly for maintainers to have better feedback from CI. As a side effect, this should also block the "merge" button on pull request web interface.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

  • Add a bot that calls qubes-builderv2 package fetch and reports result as github commit status
  • Make the status check required on main/release branches
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. C: infrastructure labels Dec 20, 2024
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Dec 20, 2024
@marmarek
Add skip-files-fetch option
0aa39b2 
It's useful to fetch just git repos, but not distfiles. It's useful when
fetching all repositories, but fetching actual files only when building.
Especially saves a lot of space from kernel tarballs.

And also, useful when using builder just to verify sources.

QubesOS/qubes-issues#9662
@marmarek marmarek mentioned this issue Dec 20, 2024
Open
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Dec 20, 2024
@marmarek
Add skip-files-fetch option
88636d8 
It's useful to fetch just git repos, but not distfiles. It's useful when
fetching all repositories, but fetching actual files only when building.
Especially saves a lot of space from kernel tarballs.

And also, useful when using builder just to verify sources.

QubesOS/qubes-issues#9662
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: infrastructure P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marmarek