From 8d99c12ea4d23e1c5a9db613d5f1178da80e4fad Mon Sep 17 00:00:00 2001 From: Tomas Kopecek Date: Thu, 6 Apr 2023 11:20:14 +0200 Subject: [PATCH] Move SCM policies to the koji hub Moving all SCM policies previously defined in each builder to centralized hub configuration. From now on, any SCM policy change just needs updating the hub config and reloading it. Builders need nor change nor reload. Related: https://pagure.io/fedora-infrastructure/issue/9728 Signed-off-by: Tomas Kopecek --- roles/koji_builder/templates/kojid.conf | 50 ++--------------------- roles/koji_hub/templates/hub.conf.j2 | 53 +++++++++++++++++++------ 2 files changed, 44 insertions(+), 59 deletions(-) diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf index a99f6679a0..c8680088b6 100644 --- a/roles/koji_builder/templates/kojid.conf +++ b/roles/koji_builder/templates/kojid.conf @@ -76,53 +76,9 @@ server={{koji_server_url}} pkgurl=http://kojipkgs.stg.fedoraproject.org/packages {% endif %} -{% if env == 'staging' %} -; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) -allowed_scms= - !src.stg.fedoraproject.org:/pagure/fork/* - !src.stg.fedoraproject.org:/pagure/forks/* - !pkgs.stg.fedoraproject.org:/pagure/fork/* - !pkgs.stg.fedoraproject.org:/pagure/forks/* - !src.stg.fedoraproject.org:/fork/* - !src.stg.fedoraproject.org:/forks/* - !src.stg.fedoraproject.org:/cgit/* - src.stg.fedoraproject.org:/container/*:false - src.stg.fedoraproject.org:/flatpaks/*:false - src.stg.fedoraproject.org:/git/rpms/*:false:fedpkg,sources - !src.stg.fedoraproject.org:/git/* - !pkgs.stg.fedoraproject.org:/fork/* - !pkgs.stg.fedoraproject.org:/forks/* - !pkgs.stg.fedoraproject.org:/cgit/* - !pkgs.stg.fedoraproject.org:/git/* - pkgs.stg.fedoraproject.org:/container/*:false - pkgs.stg.fedoraproject.org:/flatpaks/*:false - pkgs.stg.fedoraproject.org:/rpms/*:false:fedpkg,sources - pkgs.stg.fedoraproject.org:/*:false:fedpkg,sources - src.stg.fedoraproject.org:/*:false:fedpkg,sources - pkgs.fedoraproject.org:/rpms/*:false:fedpkg,sources - pkgs.fedoraproject.org:/*:false:fedpkg,sources - pagure.io:/fedora-kickstarts.git:false - src.fedoraproject.org:/*:false:fedpkg,sources -{% else %} -; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes) -allowed_scms= - !src.fedoraproject.org:/pagure/fork/* - !src.fedoraproject.org:/pagure/forks/* - !pkgs.fedoraproject.org:/pagure/fork/* - !pkgs.fedoraproject.org:/pagure/forks/* - !src.fedoraproject.org:/fork/* - !src.fedoraproject.org:/forks/* - !src.fedoraproject.org:/cgit/* - !src.fedoraproject.org:/git/* - !pkgs.fedoraproject.org:/fork/* - !pkgs.fedoraproject.org:/forks/* - !pkgs.fedoraproject.org:/cgit/* - !pkgs.fedoraproject.org:/git/* - pkgs.fedoraproject.org:/*:false:fedpkg,sources - pagure.io:/fedora-kickstarts.git:false - src.fedoraproject.org:/*:false:fedpkg,sources - pagure.io:/fork/*/fedora-kickstarts.git:false -{% endif %} +# everything related to allowed scms is now defined at hub +allowed_scms_use_config = false +allowed_scms_use_policy = true ; allow tasks to continue to completion if a sibling fails ; the parent task will fail but all child tasks will complete diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index bcaf783377..65bcdab1a8 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -203,16 +203,45 @@ sidetag = all :: deny {% if env == "staging" %} -# Policy for building scratch builds build_from_scm = - # allow scratch build for anything from anywhere - bool scratch :: allow - # allow to build from forks - match scm_type GIT GIT+SSH && match scm_host src.fedoraproject.org/forks/* :: allow -{% endif %} - -scm = - # allow scratch builds from any commits - bool scratch :: allow - match_all branches * !! deny Commit must be present on some branch - all :: allow + match scm_host src.stg.fedoraproject.org :: { + bool scratch :: fedpkg sources + match scm_repository /rpms/* :: fedpkg sources + match scm_repository /modules/* :: fedpkg sources + match scm_repository /containers/* :: fedpkg sources + match scm_repository /flatpaks/* :: fedpkg sources + } + match scm_host pkgs.stg.fedoraproject.org :: { + bool scratch :: fedpkg sources + match scm_repository /rpms/* :: fedpkg sources + match scm_repository /modules/* :: fedpkg sources + match scm_repository /containers/* :: fedpkg sources + match scm_repository /flatpaks/* :: fedpkg sources + } + match scm_host pkgs.fedoraproject.org && match scm_repository /* :: allow fedpkg sources + match scm_host pagure.io && match scm_repository /fedora-kickstarts.git :: allow + match scm_host src.fedoraproject.org :: allow fedpkg sources + all :: deny +{% else %} +build_from_scm = + match scm_host src.fedoraproject.org :: { + bool scratch :: fedpkg sources + match scm_repository /rpms/* :: fedpkg sources + match scm_repository /modules/* :: fedpkg sources + match scm_repository /containers/* :: fedpkg sources + match scm_repository /flatpaks/* :: fedpkg sources + } + match scm_host pkgs.fedoraproject.org :: { + bool scratch :: fedpkg sources + match scm_repository /rpms/* :: fedpkg sources + match scm_repository /modules/* :: fedpkg sources + match scm_repository /containers/* :: fedpkg sources + match scm_repository /flatpaks/* :: fedpkg sources + } + match scm_host pagure.io :: { + bool scratch :: allow + match scm_repository /fedora-kickstarts.git :: allow + match scm_repository /fork/*/fedora-kickstarts.git :: allow + } + all :: deny +{%endif}