Proposal: knative-automation user #298
Comments
|
In general, I'm supportive of this effort. Curious if @thisisnotapril has any thoughts or concerns here about allowing the bot through the Google CLA :) |
|
Ping @thisisnotapril |
|
I created a group for |
|
@mattmoor can you confirm what all the bot is going to do? It's for workflow automation, correct? Not making commits itself? |
|
it is going to stage PRs to be reviewed through our normal process. So yes, it will be making commits, but not unsupervised. |
|
Examples would include running and sending PRs for |
|
The jobs we're running now are in the repo linked in
There are others, but those produce the most PRs. |
|
I sent #331 to set up the repo in sandbox. Once the repo is there, I'll bootstrap it with some of our boilerplate (e.g. OWNERS) and after I create the secrets I'll use an adapted version of the nightly update action to test this agains the CLA bot. Once things are looking good with that, I'll port the rest of the automation over. |
|
This job should be our canary: https://github.com/mattmoor/knobots-actions/blob/master/.github/workflows/update-nightlies.yaml |
|
Seem to be having CLA issues here: knative/serving#9880 Need some help sorting out what I did wrong... 🤔 |
|
/unassign @thisisnotapril CLA is clear, I've migrated most of the actions over canarying with the nightly updates for serving and testing now with the bigger job manually triggered: https://github.com/knative-sandbox/knobots/runs/1289204805?check_suite_focus=true |
|
Alright, the latest batch (manually triggered) seems happy: knative/eventing#4361 The run above was missing the commit email change. I aborted the flow, and we'll see how the crons work tonight 🎉 |
|
I disabled the cron on my jobs, so knative-automation is now the source of truth. Things left TODO once things have been verified:
|
Context: I'd like to stop running the knobots as myself, and was hoping that pure GHA would resolve this, but multiple issues are blocking that (elaboration below).
tl;dr
I'd like to propose the following:
knative-sandbox/knobotsas a home for what's currently in: https://github.com/mattmoor/knobots-actions (we can bikeshed the name, I only offer a strawman)knative-automationGithub user (done to avoid squatting, PAT will be attached as a secret to the above repo)automation@knative.teamGoogle Group under the Gsuite org (to be associated with above acct).I'd propose seeding the group with Productivity leads and TOC.
cc @knative/steering-committee
cc @knative/technical-oversight-committee
cc @knative/productivity-wg-leads
Why not pure Github Actions?
The first (non-blocking) issue I (really @n3wscott) hit was that the bot hasn't signed the Google CLA, but this is (in theory) a solvable problem with this process: https://opensource.google/docs/cla/#robots
The second (blocking) issue I hit was that the token handed to GHA during workflows cannot trigger additional workflows. This means PRs created through automation don't cascade further automation (e.g. creating PRs doesn't trigger PR validation), which is surely a security feature, but also a prohibitive flaw. The proposal above is effectively a mitigation of this.
Why not Prow?
Prow is a bespoke and heavy solution for many of the things to do. The barrier to implementing new features in Prow is high, and the ecosystem of functionality is fairly minimal. Actions has a low barrier to entry, as well as a large and rapidly growing ecosystem of functionality.
I still believe Prow was the right choice when we started (GHA didn't even exist), and remains the right choice for a broad class of our activities, but I don't think this is one of those.
The text was updated successfully, but these errors were encountered: