[Tooling] Use a trusted CI agent for pipelines that require push access #21028
Conversation
|
 |
App Name |  WordPress |
| Flavor | Jalapeno | |
| Build Type | Debug | |
| Version | pr21028-59a7598 | |
| Commit | 59a7598 | |
| Direct Download | wordpress-prototype-build-pr21028-59a7598.apk |
|
 |
App Name |  Jetpack |
| Flavor | Jalapeno | |
| Build Type | Debug | |
| Version | pr21028-59a7598 | |
| Commit | 59a7598 | |
| Direct Download | jetpack-prototype-build-pr21028-59a7598.apk |
iangmaia
force-pushed
the
iangmaia/trusted-agent-for-push-access
branch
from
cf1c232
to
2597b0d
Compare
| @@ -20,7 +14,7 @@ steps: | |||
| - label: "Gradle Wrapper Validation" | |||
| command: | | |||
| validate_gradle_wrapper | |||
| plugins: *common_plugins | |||
| plugins: [$CI_TOOLKIT] | |||
There was a problem hiding this comment.
Nice tidy up.
Have you considered:
| plugins: [$CI_TOOLKIT] | |
| plugins: $CI_TOOLKIT |
I never tried it but I assume the Buildkite parser would be smart enough to allow a scalar value here and convert it to a sequence internally.
However, maybe we're better off leaving the [ ] so the diff when adding a new plugin will be smaller 🤷♂️
There was a problem hiding this comment.
While I think that Buildkite would allow a single value in an attribute expecting an array (and would wrap it in an array automatically for us) and thus allow such a syntax… personally I prefer to be explicit in it being an array and thus keep the […] syntax.
| .buildkite/commands/checkout-release-branch.sh | ||
|
|
||
| install_gems | ||
|
|
||
| bundle exec fastlane complete_code_freeze skip_confirm:true | ||
| agents: | ||
| queue: "tumblr-metal" |
There was a problem hiding this comment.
Maybe this has been discussed elsewhere, in which case apologies for the redundancy, but it would be nice for this to eventually be an agent that doesn't have Tumblr in the name 😄
There was a problem hiding this comment.
Yep, whenever I type tumblr-metal I think the same. This is inside Tumblr's DCA, and that's the reason.
But given it is being used for all sorts of things non-Tumblr related, we could name the queue a bit differently.
| git remote set-url origin git@github.com:wordpress-mobile/WordPress-Android.git | ||
| echo '--- :robot_face: Use bot for git operations' | ||
| # shellcheck disable=SC1091 | ||
| source use-bot-for-git |
There was a problem hiding this comment.
Have you considered removing the script and inlining the source use-bot-for-git call in the pipeline command node / script called by the command node?
As far as I can see, the only additional operation in this script is the echo which we could either move in the command too, or add in the use-bot-for-git implementation.
.buildkite/code-freeze.yml
Outdated
|
|
||
| steps: | ||
| - label: "Code Freeze" | ||
| plugins: [$CI_TOOLKIT] | ||
| command: | | ||
| .buildkite/commands/configure-git-for-release-management.sh | ||
| source .buildkite/commands/configure-git-for-release-management.sh |
There was a problem hiding this comment.
I agree with @mokagio that we might as well remove configure-git-for-release-management.sh at that point and call source use-bot-for-git directly from there.
|
Description
This PR uses the trusted agent helper script
use-bot-for-gitto use the GitHub bot for performing git push operations on CI.Testing Steps
Since there's currently no active release in progress, I've already created a read-only deploy key and used it in our setup.
This PR will be fully tested during the next release cycle of the project, when the affected pipelines should be able to finish successfully.
Follow-up
Once this PR is merged, I will revoke the now unused deploy key.