Use peribolos to manage team repo permissions #2614
Conversation
k8s-ci-robot
added
do-not-merge/hold
k8s-ci-robot
added
the
needs-rebase
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
If one or more restrictions are violated, make cmd/restrictions exit with a non-zero exit code and hence make it blocking for use in pre-submits. Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Priyankasaggu11929
force-pushed
the
restrict-team-repo-perms
branch
from
921df94
to
6e65efa
Compare
k8s-ci-robot
removed
the
needs-rebase
|
LGTM. Since I had technically authored the original code, I'd like one of @MadhavJivrajani or @palnabarun to approve here. |
| // When bumping Kubernetes dependencies, you should update each of these lines | ||
| // to point to the same kubernetes-1.x.y release branch before running update-deps.sh. | ||
| // to point to the same kubernetes v0.KubernetesMinor.KubernetesPatch version | ||
| // before running update-deps.sh. |
There was a problem hiding this comment.
@MadhavJivrajani, @palnabarun I was thinking of removing above lines of comment from the go.mod file, since update-deps.sh hack file is no longer present in the repo (was removed as part of #1278).
WDYT? Is there something else that is doing the job of update-deps.sh script currently and can be replaced with, in the comments?
There was a problem hiding this comment.
Thanks, pushed changes in the latest commits refresh. 👍
Priyankasaggu11929
force-pushed
the
restrict-team-repo-perms
branch
from
6e65efa
to
1e12f77
Compare
|
Summing up the recent changes after the last PR review:
|
k8s-ci-robot
added
the
lgtm
|
/hold |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MadhavJivrajani, marosset, nikhita, palnabarun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes #2465
This PR starts using peribolos to manage team repo permissions. Note - peribolos will fail if the repo doesn't exist, so we need to ensure that the repo exists before specifying it in the config. We could probably write a test to query the GitHub API to validate this, but I'd like to cover this in a follow-up.
Specifically, it includes the following changes:
Add a new binary in
cmd/restrictionsto define restrictions to the team repo config so that a team in a sub-folder can't arbitrarily give themselves kubernetes/kubernetes admin access. The restrictions config is similar to slack-infra, and can be extended in the future to define further restrictions.Add a verify script for restrictions. Note: I've not added this to bazel directly because I want to be able to run this script without bazel. This also meant that
verify-all.shnow contains code to run allhack/verify-*scripts.Update all org configs to dump team repo permissions.
There are a few teams that use the
triageandmaintainpermissions. Peribolos was recently updated to support these (Added support for full set of repository permissions in Peribolos test-infra#21526, thanks @MadhavJivrajani!). To support this feature + some critical fixes related to team permissions (peribolos: fix updating teams test-infra#19338), this PR also bumps test-infra to the latest master (kubernetes/test-infra@01a7a10). I also copied over the replace statements from test-infra's go.mod on master. Most of the diff is generated bazel changes due to this bump.Add a
config/restrictions.yamlto restrict which repos teams can specify. The GitHub Management team will be able to approve changes to this file./cc @spiffxp @cblecker @mrbobbytables
/assign @spiffxp
/hold for review