Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

koji_hub: add fwupd-efi to secure boot channel.

Browse source 
See https://pagure.io/fedora-infrastructure/issue/9912

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2021-05-17 10:08:53 -07:00
parent 3a26611841
commit 421fbeff12
1 changed files with 8 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

15
roles/koji_hub/templates/hub.conf.j2
View file

@ -93,12 +93,12 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag
[policy] [policy]
tag = tag =
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd :: allow user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd :: allow user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd fwupd-efi:: allow
user bodhi && tag *-override && package kernel shim grub2 pesign fwupd :: allow user bodhi && tag *-override && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd :: allow has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd :: allow has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
has_perm secure-boot && package kernel shim grub2 pesign fwupd :: allow has_perm secure-boot && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
# CoreOS continuous builds, https://pagure.io/releng/issue/8165 # CoreOS continuous builds, https://pagure.io/releng/issue/8165
operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
@ -110,7 +110,7 @@ tag =
operation tag && tag eln* && has_perm eln :: allow operation tag && tag eln* && has_perm eln :: allow
operation untag && fromtag eln* && has_perm eln :: allow operation untag && fromtag eln* && has_perm eln :: allow
# deny tagging secureboot packages that are not related to coreos-continuous and eln # deny tagging secureboot packages that are not related to coreos-continuous and eln
package kernel shim grub2 pesign fwupd :: deny package kernel shim grub2 pesign fwupd fwupd-efi :: deny
# Allow people to tag stuff into infra-candidate if they're infra # Allow people to tag stuff into infra-candidate if they're infra
tag *-infra-candidate && has_perm infra :: allow tag *-infra-candidate && has_perm infra :: allow
tag *-infra-candidate :: deny tag *-infra-candidate :: deny
@ -138,6 +138,7 @@ channel =
source */pesign* && has_perm secure-boot :: use secure-boot source */pesign* && has_perm secure-boot :: use secure-boot
source */fwupdate* && has_perm secure-boot :: use secure-boot source */fwupdate* && has_perm secure-boot :: use secure-boot
source */fwupd* && has_perm secure-boot :: use secure-boot source */fwupd* && has_perm secure-boot :: use secure-boot
source */fwupd-efi* && has_perm secure-boot :: use secure-boot
# set this package to use the 'heavybuilder' channel. Note that this is NOT good for most anything. # set this package to use the 'heavybuilder' channel. Note that this is NOT good for most anything.
# It just happens to be for this particular package. Please check before adding anything here, you could # It just happens to be for this particular package. Please check before adding anything here, you could