search

paritytech / bench-bot

ISC License
9 stars 19 forks source link

Commit from a recognizable user #15

Closed joao-paulo-parity closed 3 years ago

joao-paulo-parity commented 3 years ago

From the commits list page in the API: https://api.github.com/repos/paritytech/polkadot/commits?sha=pull/2854/head, an example commit by the benchmark bot is:

{
    "sha": "38ff27fd87d6b846eada07ccfe0b3961d33e4352",
    "node_id": "MDY6Q29tbWl0MTQ0MTQwMzQyOjM4ZmYyN2ZkODdkNmI4NDZlYWRhMDdjY2ZlMGIzOTYxZDMzZTQzNTI=",
    "commit": {
      "author": {
        "name": "Parity Benchmarking Bot",
        "email": "admin@parity.io",
        "date": "2021-04-10T20:25:07Z"
      },
      "committer": {
        "name": "Parity Benchmarking Bot",
        "email": "admin@parity.io",
        "date": "2021-04-10T20:25:07Z"
      },
      "message": "cargo run --release --features=runtime-benchmarks -- benchmark --chain=westend-dev --steps=50 --repeat=20 --pallet=runtime_common::slots --extrinsic=* --execution=wasm --wasm-execution=compiled --heap-pages=4096 --header=./file_header.txt --output=./runtime/westend/src/weights/runtime_common_slots.rs",
      "tree": {
        "sha": "24511a7091a39c8f88b6555e6a16a8c68a0316ce",
        "url": "https://api.github.com/repos/paritytech/polkadot/git/trees/24511a7091a39c8f88b6555e6a16a8c68a0316ce"
      },
      "url": "https://api.github.com/repos/paritytech/polkadot/git/commits/38ff27fd87d6b846eada07ccfe0b3961d33e4352",
      "comment_count": 0,
      "verification": {
        "verified": false,
        "reason": "unsigned",
        "signature": null,
        "payload": null
      }
    },
    "url": "https://api.github.com/repos/paritytech/polkadot/commits/38ff27fd87d6b846eada07ccfe0b3961d33e4352",
    "html_url": "https://github.com/paritytech/polkadot/commit/38ff27fd87d6b846eada07ccfe0b3961d33e4352",
    "comments_url": "https://api.github.com/repos/paritytech/polkadot/commits/38ff27fd87d6b846eada07ccfe0b3961d33e4352/comments",
    "author": null,
    "committer": null,
    "parents": [
      {
        "sha": "b2b0d7698a5c928e09c55ef4a51c8a00ecde2db6",
        "url": "https://api.github.com/repos/paritytech/polkadot/commits/b2b0d7698a5c928e09c55ef4a51c8a00ecde2db6",
        "html_url": "https://github.com/paritytech/polkadot/commit/b2b0d7698a5c928e09c55ef4a51c8a00ecde2db6"
      }
    ]
  }

Noticeably

    "author": null,
    "committer": null,

The bot needs to commit as a recognizable user. We can not trust the following

    "commit": {
      "author": {
        "name": "Parity Benchmarking Bot",
        "email": "admin@parity.io",
        "date": "2021-04-10T20:25:07Z"
      },

because anyone can set those values for their own commit.

joao-paulo-parity commented 3 years ago

This blocks the CLA bot and it's not trivial to solve.

There might be bigger security-related concerns either way, so I'll tag this as "blocked" (for unactionable) until we have discussed what to do about bot commits' verification.

joao-paulo-parity commented 3 years ago

After discussion, implementing GPG signature for the bot, while not the most trustable option, still will be the solution to pursue in the short-term. Therefore we'll need to work on this to unblock the CLA signatures.

joao-paulo-parity commented 3 years ago

See https://github.com/paritytech/bench-bot/pull/16#issuecomment-833348194