Bug 269327

Summary:	CI job approval rights on github for bsdimp
Product:	Services	Reporter:	Warner Losh <imp>
Component:	Git Integration	Assignee:	Warner Losh <imp>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	uqs
Priority:	---
Version:	unspecified
Hardware:	Any
OS:	Any

Description Warner Losh freebsd_committer

2023-02-04 21:52:01 UTC

I'd like the ability to approve first time contributors' CI job run requests on github please.

Comment 1 Ulrich Spörlein freebsd_committer

2023-02-05 19:58:20 UTC

Hmm, not sure where to set this. I see that it's turned on for first-time contributors, and the docs say "a maintainer with write access may need to approve any workflow runs"

It doesn't look like there's a global "maintainer" role, it's only Owner or Member.

For which repo would that be, and can you link to a PR?

One wrinkle with the read-only src,doc,ports repos would be that setting you (or anyone) as "maintainer" would also allow you to push to that repo.

Comment 2 Warner Losh freebsd_committer

2023-02-05 22:21:32 UTC

(In reply to Ulrich Spörlein from comment #1)

I can't seem to find a sample PR from a first time contributor that has the blurb about it needing approval... I've closed 20 pull requests though and know that I have seen then.

I suppose that we could turn it off and turn it back on later the first time we get hit with a bogus pull request...  That might also be useful...

I'm looking for a way that people can look at a pull request and either explain the CI errors, reject it on merit, ask for improvements or commit it: The last three only if it passes CI would help in the filtering process...

So what's less risky? Me accidentally pushing to the wrong repo, or a sneaky use of resources when we get a pull request?

Comment 3 Ulrich Spörlein freebsd_committer

2023-02-06 20:46:04 UTC

Which repo though?

Comment 4 Warner Losh freebsd_committer

2023-02-09 15:10:49 UTC

https://github.com/freebsd/freebsd-src/pull/643

has a pull request that needs approval.

Which points to https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks

which starts "Maintainers with write access to a repository"

which guess means I'd be able to push to the github repo, eh?

Is there some kind of third way? Like 'retargetting' the pull request to my fork where I do have write access? Though that seems like it would lose data

Comment 5 Ulrich Spörlein freebsd_committer

2023-02-09 17:08:42 UTC

Ok, I clicked that button to see what would happen.

I've now created a ci-approvers team for our org, added you, and made it maintainer for freebsd-src repo.

Please try that for the next PR.

Also, please make sure to not push to that repo's usual branches ...

Comment 6 Warner Losh freebsd_committer

2023-02-09 17:46:38 UTC

(In reply to Ulrich Spörlein from comment #5)
thanks uqs

I'll let you know how it works...

I'll try extra hard to not hit that button...