Xen project Mailing List

Re: [PATCH v2 2/2] automation: introduce a dom0less test run on Xilinx hardware

To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Tue, 7 Mar 2023 12:21:22 -0800 (PST)

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, cardoe@xxxxxxxxxx, michal.orzel@xxxxxxx, Stefano Stabellini <stefano.stabellini@xxxxxxx>

Delivery-date: Tue, 07 Mar 2023 20:21:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, 7 Mar 2023, Marek Marczykowski-Górecki wrote: > On Mon, Mar 06, 2023 at 03:02:51PM -0800, Stefano Stabellini wrote: > > On Mon, 6 Mar 2023, Andrew Cooper wrote: > > > On 03/03/2023 11:57 pm, Stefano Stabellini wrote: > > > > + only: > > > > + variables: > > > > + - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" > > > > > > We don't want to protect every branch of a tree that only a select > > > number of people can push to, > > > > Actually this is useful, more on this below > > > > > > > nor (for this, or others configured with > > > the runner), want to impose branching conventions on them. > > > > > > In all anticipated cases, those able to push would also be able to > > > reconfigure the protected-ness of branches, so this doesn't gain us any > > > security I don't think, but it certainly puts more hoops in the way to > > > be jumped through. > > > > It is true that it adds a small inconvenience to the user, but I think > > the benefits outweigh the inconvenience at the moment (that could change > > though.) > > > > With this, I can register the gitlab runner with a specific gitlab > > project (for instance > > https://gitlab.com/xen-project/people/sstabellini/xen) then I can mark > > all branches as "protected" and select very specific access permissions, > > e.g. I can give individual access to Julien, Bertrand, Michal, anyone, > > to specific branches, which is great to allow them to run individual > > pre-commit tests permanently or temporarily. > > > > I couldn't find another way to do it at the moment, as non-protected > > branches don't come with detailed access permissions. But it is possible > > that as we setup a new sub-group under https://gitlab.com/xen-project > > for people with access to the runner, then we might be able to remove > > this restriction because it becomes unnecessary. We can remove the > > protected check at that point. > > You can configure runner to run only jobs from protected branches. This > way it actually prevent running jobs from non-protected branches. Just a > condition in .gitlab-ci.yml can be simply removed by anybody who wants > to abuse your runner (and have push access to non-protected branch - > which may or may not include all of patchew). Yes, I did configure the runner only to execute protected jobs. The $CI_COMMIT_REF_PROTECTED check in automation/gitlab-ci/test.yaml is needed so that the xilinx job won't be created on pipelines for non-protected branches where the runner won't run, hence the job has no chance of completing successfully. If I don't add the $CI_COMMIT_REF_PROTECTED check, the job will be created in the pipeline but it will remain stuck as "paused" waiting for the runner to become available (but the runner never will.)

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.