Xen project Mailing List

Re: [PATCH 1/3] CI: Remove CI_COMMIT_REF_PROTECTED requirement for HW jobs

To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Thu, 30 May 2024 17:43:12 -0700 (PDT)

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Delivery-date: Fri, 31 May 2024 00:43:27 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, 30 May 2024, Marek Marczykowski-Górecki wrote: > On Wed, May 29, 2024 at 03:19:43PM +0100, Andrew Cooper wrote: > > This restriction doesn't provide any security because anyone with suitable > > permissions on the HW runners can bypass it with this local patch. > > > > Requiring branches to be protected hampers usability of transient testing > > branches (specifically, can't delete branches except via the Gitlab UI). > > > > Drop the requirement. > > > > Fixes: 746774cd1786 ("automation: introduce a dom0less test run on Xilinx > > hardware") > > Fixes: 0ab316e7e15f ("automation: add a smoke and suspend test on an Alder > > Lake system") > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > > Runners used to be set to run only on protected branches. I think it > isn't the case anymore from what I see, but it needs checking (I don't > see specific settings in all the projects). If it were still the case, > removing variable check would result in jobs forever pending. Andrew, thank you so much for pointing this out. I think the idea was that we can specify the individual users with access to protected branches. We cannot add restrictions for unprotected branches. So if we set the gitlab runner to only run protected jobs, then the $CI_COMMIT_REF_PROTECTED check makes sense. Not for security, but to prevent the jobs from getting stuck waiting for a runner that will never arrive. However, like Marek said, now the gitlab runners don't have the "Protected" check set, so it is all useless :-( I would prefer to set "Protected" in the gitlab runners settings so that it becomes easier to specify users that can and cannot trigger the jobs. Then, we'll need the $CI_COMMIT_REF_PROTECTED check, not for security, but to avoid pipelines getting stuck for unprotected branches. It is really difficult to restrict users from triggering jobs in other way because they are all automatically added to all subprojects. Would you guys be OK if I set "Protected" in the Xilinx and Qubes gitlab runners as soon as possible?

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.