Xen project Mailing List

Re: [PATCH 1/3] CI: Remove CI_COMMIT_REF_PROTECTED requirement for HW jobs

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 30 May 2024 02:25:41 +0200

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Delivery-date: Thu, 30 May 2024 00:26:15 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, May 29, 2024 at 03:19:43PM +0100, Andrew Cooper wrote: > This restriction doesn't provide any security because anyone with suitable > permissions on the HW runners can bypass it with this local patch. > > Requiring branches to be protected hampers usability of transient testing > branches (specifically, can't delete branches except via the Gitlab UI). > > Drop the requirement. > > Fixes: 746774cd1786 ("automation: introduce a dom0less test run on Xilinx > hardware") > Fixes: 0ab316e7e15f ("automation: add a smoke and suspend test on an Alder > Lake system") > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Runners used to be set to run only on protected branches. I think it isn't the case anymore from what I see, but it needs checking (I don't see specific settings in all the projects). If it were still the case, removing variable check would result in jobs forever pending. Other than that, I'm okay with this change, since the hw runners are added only to select projects. You can interpret this as Acked-by, if you verify if indeed runners are not limited to protected branches only. I will need to adjust setting of my project, to set "QUBES_JOBS" only to some branches - I used to use branch protection rules as a proxy to selecting on which branch to run hw tests... > --- > CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> > CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> > CC: Michal Orzel <michal.orzel@xxxxxxx> > CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > CC: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> > > Fixes because this wants backporting, but it also needs acks from both Marek > and Stefano as the owners of the hardware in question. > --- > automation/gitlab-ci/test.yaml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml > index ad249fa0a5d9..efd3ad46f08e 100644 > --- a/automation/gitlab-ci/test.yaml > +++ b/automation/gitlab-ci/test.yaml > @@ -92,7 +92,7 @@ > when: always > only: > variables: > - - $XILINX_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" > + - $XILINX_JOBS == "true" > tags: > - xilinx > > @@ -112,7 +112,7 @@ > when: always > only: > variables: > - - $QUBES_JOBS == "true" && $CI_COMMIT_REF_PROTECTED == "true" > + - $QUBES_JOBS == "true" > tags: > - qubes-hw2 > > -- > 2.30.2 > -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.