[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 7 Mar 2023 16:21:17 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, cardoe@xxxxxxxxxx, michal.orzel@xxxxxxx, Stefano Stabellini <stefano.stabellini@xxxxxxx>
Delivery-date: Tue, 07 Mar 2023 15:21:35 +0000
Feedback-id: i1568416f:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 06, 2023 at 03:02:51PM -0800, Stefano Stabellini wrote:
> On Mon, 6 Mar 2023, Andrew Cooper wrote:
> > On 03/03/2023 11:57 pm, Stefano Stabellini wrote:
> > > +  only:
> > > +    variables:
> > > +      - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true"
> > 
> > We don't want to protect every branch of a tree that only a select
> > number of people can push to,
> 
> Actually this is useful, more on this below
> 
> 
> > nor (for this, or others configured with
> > the runner), want to impose branching conventions on them.
> > 
> > In all anticipated cases, those able to push would also be able to
> > reconfigure the protected-ness of branches, so this doesn't gain us any
> > security I don't think, but it certainly puts more hoops in the way to
> > be jumped through.
> 
> It is true that it adds a small inconvenience to the user, but I think
> the benefits outweigh the inconvenience at the moment (that could change
> though.)
> 
> With this, I can register the gitlab runner with a specific gitlab
> project (for instance
> https://gitlab.com/xen-project/people/sstabellini/xen) then I can mark
> all branches as "protected" and select very specific access permissions,
> e.g. I can give individual access to Julien, Bertrand, Michal, anyone,
> to specific branches, which is great to allow them to run individual
> pre-commit tests permanently or temporarily.
> 
> I couldn't find another way to do it at the moment, as non-protected
> branches don't come with detailed access permissions. But it is possible
> that as we setup a new sub-group under https://gitlab.com/xen-project
> for people with access to the runner, then we might be able to remove
> this restriction because it becomes unnecessary. We can remove the
> protected check at that point.

You can configure runner to run only jobs from protected branches. This
way it actually prevent running jobs from non-protected branches. Just a
condition in .gitlab-ci.yml can be simply removed by anybody who wants
to abuse your runner (and have push access to non-protected branch -
which may or may not include all of patchew).

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
  - From: Stefano Stabellini

References:
- [PATCH v2 0/2] automation: introduce a Xilinx hardware test
  - From: Stefano Stabellini
- [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
  - From: Stefano Stabellini
- Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
  - From: Andrew Cooper
- Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
  - From: Stefano Stabellini

Prev by Date: Re: [PATCH 2/2] xen: update CONFIG_DEBUG_INFO help text
Next by Date: Re: [PATCH v1 0/2] Fix ARM Generic Timer interrupt parsing
Previous by thread: Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
Next by thread: Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.