Move SCM policies to the koji hub

Moving all SCM policies previously defined in each builder to centralized hub configuration. From now on, any SCM policy change just needs updating the hub config and reloading it. Builders need nor change nor reload. Related: https://pagure.io/fedora-infrastructure/issue/9728 Signed-off-by: Tomas Kopecek <tkopecek@redhat.com>
2023-04-06 11:20:14 +02:00 · 2023-04-06 11:20:14 +02:00 · 8d99c12ea4
commit 8d99c12ea4
parent 0f4026b2a1
2 changed files with 44 additions and 59 deletions
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@ -76,53 +76,9 @@ server={{koji_server_url}}
 pkgurl=http://kojipkgs.stg.fedoraproject.org/packages
 {% endif %}

-{% if env == 'staging' %}
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
-allowed_scms=
-    !src.stg.fedoraproject.org:/pagure/fork/*
-    !src.stg.fedoraproject.org:/pagure/forks/*
-    !pkgs.stg.fedoraproject.org:/pagure/fork/*
-    !pkgs.stg.fedoraproject.org:/pagure/forks/*
-    !src.stg.fedoraproject.org:/fork/*
-    !src.stg.fedoraproject.org:/forks/*
-    !src.stg.fedoraproject.org:/cgit/*
-    src.stg.fedoraproject.org:/container/*:false
-    src.stg.fedoraproject.org:/flatpaks/*:false
-    src.stg.fedoraproject.org:/git/rpms/*:false:fedpkg,sources
-    !src.stg.fedoraproject.org:/git/*
-    !pkgs.stg.fedoraproject.org:/fork/*
-    !pkgs.stg.fedoraproject.org:/forks/*
-    !pkgs.stg.fedoraproject.org:/cgit/*
-    !pkgs.stg.fedoraproject.org:/git/*
-    pkgs.stg.fedoraproject.org:/container/*:false
-    pkgs.stg.fedoraproject.org:/flatpaks/*:false
-    pkgs.stg.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.stg.fedoraproject.org:/*:false:fedpkg,sources
-    src.stg.fedoraproject.org:/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-{% else %}
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
-allowed_scms=
-    !src.fedoraproject.org:/pagure/fork/*
-    !src.fedoraproject.org:/pagure/forks/*
-    !pkgs.fedoraproject.org:/pagure/fork/*
-    !pkgs.fedoraproject.org:/pagure/forks/*
-    !src.fedoraproject.org:/fork/*
-    !src.fedoraproject.org:/forks/*
-    !src.fedoraproject.org:/cgit/*
-    !src.fedoraproject.org:/git/*
-    !pkgs.fedoraproject.org:/fork/*
-    !pkgs.fedoraproject.org:/forks/*
-    !pkgs.fedoraproject.org:/cgit/*
-    !pkgs.fedoraproject.org:/git/*
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fork/*/fedora-kickstarts.git:false
-{% endif %}
+# everything related to allowed scms is now defined at hub
+allowed_scms_use_config = false
+allowed_scms_use_policy = true

 ; allow tasks to continue to completion if a sibling fails
 ; the parent task will fail but all child tasks will complete
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@ -203,16 +203,45 @@ sidetag =
    all :: deny

 {% if env == "staging" %}
-# Policy for building scratch builds
 build_from_scm =
-    # allow scratch build for anything from anywhere
-    bool scratch :: allow
-    # allow to build from forks
-    match scm_type GIT GIT+SSH && match scm_host src.fedoraproject.org/forks/* :: allow
-{% endif %}
-
-scm =
-      # allow scratch builds from any commits
-      bool scratch :: allow
-      match_all branches * !! deny Commit must be present on some branch
-      all :: allow
+    match scm_host src.stg.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.stg.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org && match scm_repository /* :: allow fedpkg sources
+    match scm_host pagure.io && match scm_repository /fedora-kickstarts.git :: allow
+    match scm_host src.fedoraproject.org :: allow fedpkg sources
+    all :: deny
+{% else %}
+build_from_scm =
+    match scm_host src.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pagure.io :: {
+        bool scratch :: allow
+        match scm_repository /fedora-kickstarts.git :: allow
+        match scm_repository /fork/*/fedora-kickstarts.git :: allow
+    }
+    all :: deny
+{%endif}