Let only the init stage run so that we have a link on PRs to the CI and
can trigger it manually if desired. PR template updated with this info.
Also use yaml anchors for rules to reduce duplication.
By default, the API will fetch only 30 open PRs. This is enough currently
as we have 35 open ones. Bump the limit to the maximum. 100 should be enough
for some time. 🤞
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
With the quoting, we are passing an empty variable instead of no argument.
Also, if the skip is required, we are passing "-o ci.skip" instead of
"-o" "ci.skip".
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Save resources and needless CI runs by skipping the trigger-gitlab job if a PR is 'draft' (can be set in the pull request page at any time) or by setting a label "WIP".
Asside from saving resources, WIP PRs that don't trigger CI are a good message to a contributers to keep testing it locally and to only get the project resources after serious testing been made on their side.
We need a privileged / admin user doing the post-release version bump as
this is a direct commit to main (i.e. without a PR) so switch to using
schutzbot with a scoped personal access token (only public_repo).
This commit changes our release process from the model of having a
release commit (and pull request) which also updated the NEWS.md file
and bumped the versions in the osbuild.spec and setup.py files to simply
pushing a tag.
After the tag (containing the release notes) is pushed, a GitHub
composite action is triggered that creates a GitHub release with the
contents of the git release tag. Furthermore the bumping of the version
number now always has to happen directly after a release to avoid having
to push a(n untested) commit to main for the release and this is also
handled by the GitHub composite action.
Finally packit pushes directly to dist-git now on pushing the release
tag, so no pull-request needs to be reviewed and merged anymore.
Consequently, we also drop the docs/news folder and its content and
adjust the PR template.
Dependabot pushes branches directly to the upstream repository. This causes
double-triggers of gitlab CI. Prevent it by running gitlab CI only for
the main branch.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
dependabot is an independent security scanning tool which mostly
focuses on evaluating the dependency chain. Having the dependabot.yml
file on the main branch would enable the bot to test the dependencies
daily.
The oldest distributions that we now support are RHEL 8.4 and Fedora 33.
They both support go 1.15, let's bump.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Create a template to help us with the bug reporting process. This template includes a request for information we usually ask from the reporters. This way, they can include the information upfront.
Separate the loading of repo definitions from JSON file from
`LoadRepositories()` to a standalone function
`loadRepositoriesFromFile()`, to make it easy to reuse it in the future.
Add unit tests for `LoadRepositories()` function.
Exclude github.com/osbuild/osbuild-composer/internal/rpmmd/test package
from test coverage. Package with just tests and no other code makes `go
test` to fail. This should be fixed in go 1.17.
See https://github.com/golang/go/issues/27333
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The template mentioned only "adequate" documentation which can be
interpreted in many ways. Mention the news/unreleased directory and the
guides explicitly and include links for convenience.
By default, the checkout action checkouts the merge commit. This is different
from what Schutzbot currently does - it runs the test on the PR HEAD commit.
Let's change the GitHub workflows behaviour to the same one as Schutzi
uses.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
When unit tests succeed, no one cares about them.
When unit tests fail, it's hard to find which one failed. This commit removes
the verbose flag, so it's easy to spot what failed.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
We can now send webhook data to an SQS queue at AWS without signing the
request with credentials. This allows us to trigger Schutzbot from
forks and from branches on the main repository.
Signed-off-by: Major Hayden <major@redhat.com>
The oldest distros we support are Fedora 32 and RHEL 8.3. As both have
Go 1.14, we're safe to upgrade.
Also, I had to change prepare-source.sh because go fmt now refuses to run on
a project which has issues in go.mod, go.sum or modules.text. I think this
should be a harmless change.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
The majority of pull requests do not fix a downstream issue. In
practice, people usually delete the whole suggested content.
Move it into a comment, so that this step is unnecessary.
As the team obsessed with immutable test dependencies, how could we use
the ubuntu-latest VM which can change at any time?
Speaking of changes to ubuntu-latest... It will soon be updated from ubuntu
18.04 to 20.04 [1].
This commit switches our testing pipeline to use ubuntu-20.04 to:
1) make our test dependencies immutable (or at least slightly more immutable)
2) make us prepared for the ubuntu-latest changes.
[1]: https://github.com/actions/virtual-environments/issues/1816
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
rpmlint errors are usually not a big deal but it's always nice when we can
catch them early. This commit introduces a new Github workflow that builds
an SRPM and runs rpmlint against it.
The Koji test in Github actions was always a bit quick and dirty solution.
I think it's much nicer solution to run it on Schutzbot.
Therefore, this commit moves the koji_test.go to a new osbuild-koji-tests
executable. This new test isn't run in the base test suite as one would
anticipate but inside the koji.sh test. This is needed because
osbuild-koji-tests requires a running koji instance. This might change
in the future but I think it works for now.
Also install it is part of he tests subpackage. This a helper-tool, not
golang code, so should not live in `internal`. We need access to this
from the integration tests, so install it onto the tests system.
Signed-off-by: Tom Gundersen <teg@jklm.no>
This job uses shellcheck to analyze all our bash scripts except for
those in /vendor directory.
It also allows sourcing /etc/os-release without checking it, because
it doesn't make any sense to check that the CI machine has correct
/etc/os-release file. Also allow useless cats because I don't think they
cause any harm.
Rather than using the arbitrary port 8701, use the standard 443. The
worker API will remain on a separate port, and as long as the two APIs
are exposed by the same binary that will have to remain separate at
8700.
Move the test instance of koji on localhost from 443 to 4343, to avoid a
conflict.
In a follow-up we should also give this API a prefix, so the cloud API
can share the same port with it.
Signed-off-by: Tom Gundersen <teg@jklm.no>
Contrary to our assumption, we cannot initialize the build with the
link to the task. We can only update the link once the build has
completed.
This seems like a bug in koji, but we keep it like this for now.
Prior this commit we only had support for username/password authentication
in the koji integration. This wasn't particularly useful because this
auth type isn't used in any production instance.
This commit adds the support for GSSAPI/Kerberos authentication.
The implementation uses kerby library which is very lightweight wrapper
around C gssapi library.
Also, the koji unit test and the run-koji-container script were modified
so the GSSAPI auth is fully tested.
