-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Tooling] Use a trusted CI agent for pipelines that require push access #21028
Conversation
📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
|
📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
|
cf1c232
to
2597b0d
Compare
@@ -20,7 +14,7 @@ steps: | |||
- label: "Gradle Wrapper Validation" | |||
command: | | |||
validate_gradle_wrapper | |||
plugins: *common_plugins | |||
plugins: [$CI_TOOLKIT] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice tidy up.
Have you considered:
plugins: [$CI_TOOLKIT] | |
plugins: $CI_TOOLKIT |
I never tried it but I assume the Buildkite parser would be smart enough to allow a scalar value here and convert it to a sequence internally.
However, maybe we're better off leaving the [ ]
so the diff when adding a new plugin will be smaller 🤷♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I think that Buildkite would allow a single value in an attribute expecting an array (and would wrap it in an array automatically for us) and thus allow such a syntax… personally I prefer to be explicit in it being an array and thus keep the […]
syntax.
.buildkite/commands/checkout-release-branch.sh | ||
|
||
install_gems | ||
|
||
bundle exec fastlane complete_code_freeze skip_confirm:true | ||
agents: | ||
queue: "tumblr-metal" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this has been discussed elsewhere, in which case apologies for the redundancy, but it would be nice for this to eventually be an agent that doesn't have Tumblr in the name 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, whenever I type tumblr-metal
I think the same. This is inside Tumblr's DCA, and that's the reason.
But given it is being used for all sorts of things non-Tumblr related, we could name the queue a bit differently.
git remote set-url origin git@github.com:wordpress-mobile/WordPress-Android.git | ||
echo '--- :robot_face: Use bot for git operations' | ||
# shellcheck disable=SC1091 | ||
source use-bot-for-git |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you considered removing the script and inlining the source use-bot-for-git
call in the pipeline command
node / script called by the command
node?
As far as I can see, the only additional operation in this script is the echo
which we could either move in the command
too, or add in the use-bot-for-git
implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confess I haven't followed the development of the trusted agent as closely as I should have, but as far as changing the agents and updating the script, everything looks good to me here 👍
.buildkite/code-freeze.yml
Outdated
|
||
steps: | ||
- label: "Code Freeze" | ||
plugins: [$CI_TOOLKIT] | ||
command: | | ||
.buildkite/commands/configure-git-for-release-management.sh | ||
source .buildkite/commands/configure-git-for-release-management.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @mokagio that we might as well remove configure-git-for-release-management.sh
at that point and call source use-bot-for-git
directly from there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quality Gate passedIssues Measures |
Description
This PR uses the trusted agent helper script
use-bot-for-git
to use the GitHub bot for performing git push operations on CI.Testing Steps
Since there's currently no active release in progress, I've already created a read-only deploy key and used it in our setup.
This PR will be fully tested during the next release cycle of the project, when the affected pipelines should be able to finish successfully.
Follow-up
Once this PR is merged, I will revoke the now unused deploy key.