open-build-service icon indicating copy to clipboard operation
open-build-service copied to clipboard

Published 20 hours ago verified publisher icon openSUSE

[api] support staging without write access in GA projects

Open adrianschroeter opened this issue 2 years ago • 8 comments

SLSA requires seperation of release managers and code stream managers. Therefore release managers just approve reviews and the code stream managers using the request approve mechanism.

As consequence the release managers have no write access anymore in the GA projects:

  • request gets not accepted directly via staging api, just indirect via approve mechanism
  • modifications outside of the requests (like fiddeling with local links) are not allowed anymore

jsc#OBS-200

adrianschroeter avatar Jul 07 '22 08:07 adrianschroeter

this is just currently an untested draft, needs further investigation and testing. And esp. review of permission handling.

adrianschroeter avatar Jul 07 '22 08:07 adrianschroeter

@adrianschroeter, only a small note about labelling pull requests: we usually create issues and label them with a priority label (P2 for example). And after that we create pull requests which could solve the issue. This helps us to separate the problem (and assign to it a prioriy) from the solution.

eduardoj avatar Jul 07 '22 08:07 eduardoj

Depends on #12789 and #12787

hennevogel avatar Jul 11 '22 14:07 hennevogel

Depends on #12789 and #12787

Both are now merged. Rebasing...

dmarcoux avatar Jul 13 '22 07:07 dmarcoux

Now depends on #12816

hennevogel avatar Jul 18 '22 12:07 hennevogel

And now depends on #12845

hennevogel avatar Jul 21 '22 16:07 hennevogel

Codecov Report

Merging #12771 (0abb3bf) into master (8350159) will increase coverage by 0.00%. The diff coverage is 96.55%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master   #12771   +/-   ##
=======================================
  Coverage   88.49%   88.49%           
=======================================
  Files         698      698           
  Lines       23847    23851    +4     
=======================================
+ Hits        21103    21107    +4     
  Misses       2744     2744

codecov[bot] avatar Jul 25 '22 16:07 codecov[bot]

@coolo can you have another look please?

hennevogel avatar Jul 26 '22 10:07 hennevogel

Let's go then @adrianschroeter @coolo right?

hennevogel avatar Aug 26 '22 13:08 hennevogel

sure, it works in production since quite some time.

adrianschroeter avatar Aug 26 '22 13:08 adrianschroeter

This broke staging accept as the release tools always accept with force after checking on client side that everything is in acceptable. As acceptable is not in FORCEABLE_STATES this fails now.

The reason we have to accept with force is that if you accept two stagings at the same time, the 2nd one will flip to 'building' due to the scheduler thinking "oh, something in Factory changed, let me check if all the projects linking to it need to change".

coolo avatar Aug 29 '22 11:08 coolo

That's already monkey patched on OBS (https://github.com/openSUSE/open-build-service/pull/13004)

DimStar77 avatar Aug 29 '22 11:08 DimStar77