Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware

[Stefano Stabellini <sstabellini@xxxxxxxxxx>]

On Mon, 6 Mar 2023, Andrew Cooper wrote:
> On 03/03/2023 11:57 pm, Stefano Stabellini wrote:
> > +  only:
> > +    variables:
> > +      - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true"
> 
> We don't want to protect every branch of a tree that only a select
> number of people can push to,

Actually this is useful, more on this below


> nor (for this, or others configured with
> the runner), want to impose branching conventions on them.
> 
> In all anticipated cases, those able to push would also be able to
> reconfigure the protected-ness of branches, so this doesn't gain us any
> security I don't think, but it certainly puts more hoops in the way to
> be jumped through.

It is true that it adds a small inconvenience to the user, but I think
the benefits outweigh the inconvenience at the moment (that could change
though.)

With this, I can register the gitlab runner with a specific gitlab
project (for instance
https://gitlab.com/xen-project/people/sstabellini/xen) then I can mark
all branches as "protected" and select very specific access permissions,
e.g. I can give individual access to Julien, Bertrand, Michal, anyone,
to specific branches, which is great to allow them to run individual
pre-commit tests permanently or temporarily.

I couldn't find another way to do it at the moment, as non-protected
branches don't come with detailed access permissions. But it is possible
that as we setup a new sub-group under https://gitlab.com/xen-project
for people with access to the runner, then we might be able to remove
this restriction because it becomes unnecessary. We can remove the
protected check at that point.