Posting build progress to github

[jbergstroem]

I've been tinkering with a set of scripts that posts feedback to github. Here's a quick outline on how it works:

• There's a boolean called POST_STATUS_TO_PR in the node-test-pull-request job. Make sure that's checked and enter your PR.
• Each worker as part of the node-test-commit will ping github and say they've started building/testing (as of now, see Unfold make-ci in jenkins #229 for improvements in this regard). These workers are currently: ci/linter, ci/freebsd, ci/smartos, ci/linux, ci/plinux, ci/windows-fanned, ci/osx ci/arm and ci/arm-fanned.
• Once the test suite completes we're checking if the test suite returned either unstable or success status. If that's the case we post a success and a text mentioning total tests run plus any skips (linter accts differently plus needs more work since we need tap output; see this example pr for work in progress).
• If the suite has any other status (currently only supports failed tests) we post the number of failed tests, skipped and total.

In order to achieve above I had to install a new jenkins plugin that gives us access to execute logic as part of the post-build phase. I'm using the xml api and parse output in python (for portability) when needed.

Have a look at a few of the above jobs (edit in jenkins) for how it currently works. There's a few things that still needs to be done, where at least one would be up for discussion:

• port bash stuff to windows
• unfold build steps (Unfold make-ci in jenkins #229) so we can distinguish between a compile and test error.
• land changes to linter can output tap (tools: add tap output to cpplint node#3448 and wip PR for eslint)
• figure out how to safely store github credentials (currently using the personal token)

So, the last one is a bit of a tricky problem. Since we can't really trust input from a PR this is an issue. Jenkins has a few ways of storing passwords (credential store and global passwords) and tries to mask it in some cases; but that sandbox was pretty easy to escape from.

[jbergstroem]

One option to solve the credentials issue would be to create a small proxy script that adds this credential. This creates another trust issue since we then lack logic to control when it should fire, but that might be the better trade.

[Starefossen]

Just making sure, and you are probably aware, that there exists an GitHub OAuth API scope which only grants access to the Status API – namely the repo:status scope.

[jbergstroem]

@Starefossen yep, that's what we're using but its still leakable in its current form.

[DavidTPate]

The credentials is where it really starts to get difficult, I haven't seen a good way yet. If you look at Travis CI for example. When dealing with encrypted things (such as credentials or keys) it just doesn't provide them with PRs that aren't from the same repository.

You could totally limit the impact of the credentials being discovered by limiting the scope of the keys (and you want to do this regardless). But the ideal case would be to not have the keys leaked in the first place. What typically happens with most SaSS products that do this right now is that their status is reported by a service that they manage which has open access. It's not exactly ideal since anyone could update the status, but it gets us to the point where we have kept our credentials safe.

The last part would be limiting access to the service for updating statuses. I'm not familiar with the infrastructure, but if a web service can be created which simply updates the status for PRs and either have access limited by CIDRs, Routing, or some other method that would get us pretty much there.

[jbergstroem]

@DavidTPate that's roughly what I suggested with my 'proxy' script. The problem is still that anyone can call it if they know what they're doing. The layer of security by obscurity is tricky to get rid of when you allow people to modify source code.

[thefourtheye]

Given that our CI is mostly red these days, if we could somehow show the list of failing tests and their corresponding environments, it would be awesome.

[DavidTPate]

Yeah, someone who knows what they are doing would still be able to manipulate it it would just have a tougher barrier to get to that point. It's definitely a tough problem.

The only way that I can think to really do this and limit exposure would be to have some credential generated for each build that allows exactly one call to update the build status for each job.

[jbergstroem]

Thing is. If you know what you're doing you can privilege escalate other stuff (or rm -rf) as well. I think this is more about finding "good enough" security, then trust that people that start jobs actually glance over a PR before submitting it for execution.

[DavidTPate]

@jbergstroem Yeah, that seems to be the case to me, there just doesn't seem to be a good way to completely secure something like this and "good enough" is a great start.

[orangemocha]

Is there any way that we can distinguish Jenkins' success from unstable (only flaky tests failed)? I am concerned that if people start relying on the status checks to vet their PRs, that we'll lose visibility on flaky tests. Reporting the list of failed flaky tests back to GitHub would be ideal.

[jbergstroem]

@orangemocha at github, not really -- we've got in progress, success or failed. What I've done though is added a note in the text mentioning how many flaky tests were run.

[jbergstroem]

After giving it some thought I'm thinking we should do what @rvagg has been suggesting;

1. have a hook in node-test-pull-request that pings a server that starts polling
2. poll node-test-commit for slaves
3. poll each slave for updates until the parent is closed

polling sucks but this completely avoids any security-related issues and makes it more portable, meaning others can benefit from our work.

[Starefossen]

Makes sense. Nothing wrong in taking the secure route here.

[DavidTPate]

That sounds like a good solution, polling does suck but it seems like a very acceptable tradeoff here.