Closed rm3l closed 10 months ago
nickboldt
commented
11 months ago PR generation here:
https://quay.io/repository/janus/operator?tab=tags https://quay.io/repository/janus/operator-bundle?tab=tags https://quay.io/repository/janus/operator-catalog?tab=tags
In the new year we can move these into the /janus-idp/ organization... but I don't have access to that quay org, so I can't push there.
nickboldt
commented
11 months ago nickboldt
commented
11 months ago However I can't start a cluster from the PR build because the images don't match:
Sources:
** ./bundle/manifests/backstage-operator.clusterserviceversion.yaml **
207- - name: RELATED_IMAGE_backstage
208- value: quay.io/janus-idp/backstage-showcase:next
209: image: quay.io/rhdh/backstage-operator:v0.0.1So we need to ensure the CSV is regenerated for each PR and CI build, pointing at the correct PR/SHA.
Fixed with https://github.com/janus-idp/operator/pull/104
Next step: implementing the same thing for commits, not PRs...
nickboldt
commented
11 months ago OK, next builds are now being created for each pull request and for each pushed commit.
nickboldt
commented
11 months ago TODO:
rm3l
commented
10 months ago Currently, the pr-docker-build.yaml Workflow does not pass on fork PRs (for security reasons with secrets), which is an issue for such contributions.
But as discussed, I think it can be possible to make it pass securely without sacrificing convenience. We did something similar in the past on odo using the pull_request_target trigger and GitHub environments to prevent unauthorized runs. See https://github.com/redhat-developer/odo/blob/main/.github/workflows/pr-website.yaml (inspired from this blog post).
nickboldt
commented
10 months ago PRs from personal forks now produce PR builds too: https://github.com/janus-idp/operator/pull/115
HOWEVER a non-approver can also push a PR build: https://github.com/janus-idp/operator/pull/117 ... so that seems like a problem. cc: @rm3l
rm3l
commented
10 months ago PRs from personal forks now produce PR builds too: #115
Great - thanks!
HOWEVER a non-approver can also push a PR build: #117 ... so that seems like a problem. cc: @rm3l
For non-approvers, I noticed that the external GH environment did not have the required reviewers protection rule, which is needed to prevent this issue. I've added it:
Let's check if this solves the issue now..
nickboldt
commented
10 months ago As seen by non-maintainer contributor:
As seen by maintainer:
After approval:
nickboldt
commented
10 months ago So the approval flow works, though it requires 4 clicks to approve.
Remaining TODOs (from 3 weeks ago):
nickboldt
commented
10 months ago verify the correct people have access to administering quay.io/janus-idp (eg., me!): DONE- also added a creators group and added it to the 6 repos, in addition to the owners group
remove unnneded secrets from https://github.com/janus-idp/operator/settings/secrets/actions: DONE
deprecate quay.io/janus images: DONE
move everything from quay.io/janus to quay.io/janus-idp, and switch the secrets used to the default organization level ones - see https://github.com/janus-idp/operator/actions/runs/7478610799/job/20353935373
verify for PR checks too: https://github.com/janus-idp/operator/pull/138 : DONE
set up a good email address for the janus-idp org (not Tom C): DONE
add note about quay.io organization and gravatar to the ACL doc: DONE, see RHIDP-944
This could help with testing the operator.
Publish images to https://quay.io/organization/janus-idp
Like for the
backstage-showcaseimage (see workflow), we could have tags per PR number and per PR-number-commit