Re: [vdsm] Jenkins and Gerrit.

On 08/08/2012 03:07 PM, Dan Kenigsberg wrote: >On Wed, Aug 08, 2012 at 09:58:17AM -0400, Robert Middleswarth wrote: >>On 08/08/2012 09:50 AM, Dan Kenigsberg wrote: >>>On Wed, Aug 08, 2012 at 02:55:17PM +0200, Ewoud Kohl van Wijngaarden wrote: >>>>On Wed, Aug 08, 2012 at 03:48:13PM +0300, Dan Kenigsberg wrote: >>>>>On Wed, Aug 08, 2012 at 07:47:02AM -0400, Robert Middleswarth wrote: >>>>>>I have setup patch review on Jenkins.info for newly submitted >>>>>>patches and it seems to be working pretty well over all but last >>>>>>night well tweaking the process I broken it for a few min but that >>>>>>was long enough that about 50 jobs were marked -1 I will be fixing >>>>>>that today by rerunning the jobs. I am sorry if one of your patches >>>>>>was dinged and it should be fixed by this time tomorrow. >>>>>Thanks, Robert, for working on this. It is highly important for me to >>>>>know that something is going to break the build before taking it in. >>>>> >>>>>However, would it be possible to have a repository where we can review >>>>>the code of the robot? >>>>It's Gerrit Trigger[1] and the code is on github[2]. >>>> >>>>>I think it is important for the robot to be less noisy, and >>>>>particularly, never give V+1. This task is reserved to humans that >>>>>actually know what the patch should be doing. >>>>The V+1 has been fixed. Will give 0 when they pass, -1 when they fail. >>>> >>>>>Also, I am not at all sure that the robot is limitting itself to be >>>>>running code of trustworthy authors. >>>>Eyal added a feature request for this[3]. This was the result of a >>>>discussion on the infra mailing list[4]. >>>As much as I like (and need) this per-commit verification, I think we >>>should not deploy it before the feature is implemented. >>> >>>BTW, Federico suggested to initiate the test only on request (when oVirt >>>Jenkins CI Server is added as reviewer). This would allow a more silent >>>start for CI. >>> >>>Thanks, >>>Dan. >>I already wrote a little bash code to do this outside the plug-in. >>It will be in place by the end of the day. >This kind of script is exactly the thing I'd like to be peer-reviewed >before applied en mass to gerrit changes. Particularly due to the >security implications. > >Regards, >Dan. If you are talking about the jenkins app that updates Gerrit that is has been in use on ovirt-node-devel for some time. As for the whitelist script that is like 4 lines. git log --pretty="%ce" -n 1 > $WORKSPACE/current_author.txt

grep -f $WORKSPACE/current_author.txt $WORKSPACE/jenkins-whitelist.txt RETVAL=$? [ $RETVAL -ne 0 ] && curl -u jenkins_bot:xxxxxx $BUILD_URL/stop; It is simple and the files are generated outside of the repo so it should be safe.