-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use peribolos to manage team repo permissions #2614
Use peribolos to manage team repo permissions #2614
Conversation
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
If one or more restrictions are violated, make cmd/restrictions exit with a non-zero exit code and hence make it blocking for use in pre-submits. Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
921df94
to
6e65efa
Compare
LGTM. Since I had technically authored the original code, I'd like one of @MadhavJivrajani or @palnabarun to approve here. |
// When bumping Kubernetes dependencies, you should update each of these lines | ||
// to point to the same kubernetes-1.x.y release branch before running update-deps.sh. | ||
// to point to the same kubernetes v0.KubernetesMinor.KubernetesPatch version | ||
// before running update-deps.sh. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MadhavJivrajani, @palnabarun I was thinking of removing above lines of comment from the go.mod
file, since update-deps.sh
hack file is no longer present in the repo (was removed as part of #1278).
WDYT? Is there something else that is doing the job of update-deps.sh
script currently and can be replaced with, in the comments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, pushed changes in the latest commits refresh. 👍
6e65efa
to
1e12f77
Compare
Summing up the recent changes after the last PR review:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thank you so much @Priyankasaggu11929 ❤️
/hold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you all for working on this and pushing this ahead! ❤️
/lgtm
/approve
/hold cancel
/pony party
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MadhavJivrajani, marosset, nikhita, palnabarun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes #2465
This PR starts using peribolos to manage team repo permissions. Note - peribolos will fail if the repo doesn't exist, so we need to ensure that the repo exists before specifying it in the config. We could probably write a test to query the GitHub API to validate this, but I'd like to cover this in a follow-up.
Specifically, it includes the following changes:
Add a new binary in
cmd/restrictions
to define restrictions to the team repo config so that a team in a sub-folder can't arbitrarily give themselves kubernetes/kubernetes admin access. The restrictions config is similar to slack-infra, and can be extended in the future to define further restrictions.Add a verify script for restrictions. Note: I've not added this to bazel directly because I want to be able to run this script without bazel. This also meant that
verify-all.sh
now contains code to run allhack/verify-*
scripts.Update all org configs to dump team repo permissions.
There are a few teams that use the
triage
andmaintain
permissions. Peribolos was recently updated to support these (Added support for full set of repository permissions in Peribolos test-infra#21526, thanks @MadhavJivrajani!). To support this feature + some critical fixes related to team permissions (peribolos: fix updating teams test-infra#19338), this PR also bumps test-infra to the latest master (kubernetes/test-infra@01a7a10). I also copied over the replace statements from test-infra's go.mod on master. Most of the diff is generated bazel changes due to this bump.Add a
config/restrictions.yaml
to restrict which repos teams can specify. The GitHub Management team will be able to approve changes to this file./cc @spiffxp @cblecker @mrbobbytables
/assign @spiffxp
/hold for review