infrastructure
infrastructure copied to clipboard
adoptium
Define per-repository configuration settings
Adoptium currently has 47 repositories for various tasks. This issue is to define the expected settings for these repositories to ensure they are secure, allow people to be productive, and are consistent to avoid surprises.
Repository settings include such items as:
- branch protection
- access control lists (alignment with Eclipse requirements), and removing temporary
adminaccess rights - required number of PR approvers
- constraints on forced push
- etc
First step is to define the expected settings for each type (infra, dev code, release repo, website/api, etc) of repository we handle. Second step is to bring the 47 repositories in line with these settings - which may require temporary admin access.
Of the current set of reqpositories, we have the following categories:
| Repository sets | Repos | Current mandatory reviewers |
|---|---|---|
| Source mirror repos | 12 | n/a - No PRs (Alpine JDK8?) |
| Binary repos | 6 | n/a - No PRs |
| Temurin | 11 | 4 with zero, 2 with one, 2 with two |
| aqavit | 7 | 4 with zero, 1 with one?, 2 with two? |
| adoptium | 7 | All zero, question over blog and dash |
| mission control | 1 | TBC |
| incubator | 2 | TBC |
Spreadsheet (restricted access) currently at https://docs.google.com/spreadsheets/d/10PfKCBpnvx6RUQMhZfzK4EpBUMP5rPBnlUJ3SwidVLM/edit#gid=0
@sxa Thanks for gathering the info. Please can you set up a call with interested folks to discuss and action this now?
Action items from today's call (Attendees: @sxa @tellison @gdams @smlambert @andrew-m-leonard @karianna)
- @gdams to look at implications of implementing PR approvals on repositories which use bots/auto-mergess
- @sxa to look at defining a template that can be used for all new repositories generated for the project
- Project leads tor Incubators and Mission Control will be consulted regarding the options they wish to have on their repositories
- DONE: ENABLED Follow-up on 2FA for the org, after ensuring the bots are safe.
- Request for changes to the repository settings will be deferred until the July release is considered safe.
NOTE: The website-v2 repository is not controlled via the normal eclipse processes and is independent of the other repositories.
Summary of desired respository settings:
| Project | Repository | Required reviewers |
|---|---|---|
| Adoptium | All | 1 |
| n/a | website-v2 | 1 |
| aqavit | TKG, aqa-tests | 2 |
| aqavit | All others | 1 |
| temurin | jdkXX, temurinXX-binaries, marketplace-data, build-jdk | 1 |
| temurin | temurin-build, ci-jenkins-pipelines, github-release-sciprts, jenkins-helper, mirror-scripts, installer, containers, infrastructure | 2 |
| mission control | - | TBC |
| incubator | - | TBC |
In terms of other settings, this is what we agreed we wanted across all adoptium, aqavit and temurin projects
| Setting | Yes/No |
|---|---|
| DIsmiss review state on new pushes | No |
| Require review from code owners | No |
| Require status checks to pass | ECA requirement |
| Require rebase first | No |
| Require conversation resolution | No |
| Require linear history (No merges) | Yes |
| Allow force pushes | No (Engage eclipse if required for security) |
| Automatically delete head branches | Yes? |
| Allow merge commits | No |
| Allow squash merging | Yes |
| Default to PR title for squash commits | No |
| Allow rebase merging | Yes |
| Always suggest updating PR branches | Yes |
| Allow auto-merge | Yes |
@sxa will
website-v2be made "part of" EF like the other repositories?
There are currently no plans to change it so for now it will remain unique.
Request for change to reviewer numbers: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1900