From: Thanh Ha Date: Wed, 30 Aug 2017 21:56:55 +0000 (-0400) Subject: Create job to lock|unlock branches via Gerrit X-Git-Tag: v0.9.0~11^2 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F45%2F6245%2F6;p=releng%2Fglobal-jjb.git Create job to lock|unlock branches via Gerrit A contributor can leave a comment "lock|unlock branch" in Gerrit comment which triggers a job to submit a patch to Gerrit for the project to lock or unlock their branch. Locking refers to removing the permission to click the Submit button in the project's branch effectively disallowing new patches to be merged into the repo. This job simply generates and submits a patch. A project committer still needs to approve it. Issue: RELENG-424 Change-Id: Id489d931037c76bdcad032ec44b0ce748bdffe81 Signed-off-by: Thanh Ha --- diff --git a/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master b/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master new file mode 100644 index 00000000..1ca7ec2f --- /dev/null +++ b/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master @@ -0,0 +1,517 @@ + + + + <!-- Managed by Jenkins Job Builder --> + false + false + false + false + build-vm + false + + + + 1 + -1 + -1 + 0 + + + + + + PROJECT + Parameter to identify a Gerrit project. This is typically the +project repo path as exists in Gerrit. +For example: ofextensions/circuitsw + + releng/ciman + + + STREAM + Stream is often set to the same name as 'branch' but can +sometimes be used as a name representing a project's release code +name. + + master + + + GERRIT_PROJECT + Parameter to identify Gerrit project. This is typically the +project repo path as exists in Gerrit. +For example: ofextensions/circuitsw + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + releng/ciman + + + GERRIT_BRANCH + Parameter to identify a Gerrit branch. + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + master + + + GERRIT_REFSPEC + Parameter to identify a refspec when pulling from Gerrit. + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + refs/heads/master + + + LFTOOLS_VERSION + Version of lftools to install. Can be a specific version like +'0.6.0' or a PEP-440 definition. +https://www.python.org/dev/peps/pep-0440/ +For example '<1.0.0' or '>=1.0.0,<2.0.0'. + + <1.0.0 + + + + + + 2 + + + origin + + $GIT_URL/$GERRIT_PROJECT + test-credential + + + + + refs/heads/master + + + + + false + false + true + false + false + Default + + + + + + true + + false + false + + + false + false + false + + 10 + + + + + + + + + + ANT + releng/ciman + + + ANT + **/master + + + false + + + + false + false + false + false + + false + false + true + false + false + + + False + + false + + + (un)?lock branch$ + + + + + + + + + + test-server + + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# Generates a patch to lock|unlock a branch in Gerrit +# +# Assumes that the project repository was cloned via ssh and thus uses ssh to +# install the git commit hook. + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +git fetch origin refs/meta/config:config +git checkout config + +install_gerrit_hook() { + ssh_url=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $1}') + ssh_port=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $2}') + + if [ -z $ssh_url ]; then + echo "ERROR: Gerrit SSH URL not found." + exit 1 + fi + + scp -p -P "$ssh_port" "$ssh_url":hooks/commit-msg .git/hooks/ + chmod u+x .git/hooks/commit-msg +} +install_gerrit_hook + +# Groups must be mapped in the groups file before they can be used +if ! grep 'Registered Users'; then + echo -e "global:Registered-Users\tRegistered Users" >> groups +fi + +mode=$(echo "$GERRIT_EVENT_COMMENT_TEXT" | grep branch | awk '{print $1}') +case $mode in + lock) + echo "Locking branch: $GERRIT_BRANCH" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.exclusiveGroupPermissions" "submit" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.submit" "block group Registered Users" + git commit -asm "Lock branch $GERRIT_BRANCH" + ;; + + unlock) + echo "Unlocking branch: $GERRIT_BRANCH" + git config -f project.config --remove-section "access.refs/heads/${GERRIT_BRANCH}" || true + git commit -asm "Unlock branch $GERRIT_BRANCH" + ;; + + *) + echo "ERROR: Unknown mode selected '$mode'." + exit 1 + ;; +esac + +git diff HEAD~1 +git push origin HEAD:refs/for/refs/meta/config + + + + + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> sysstat.sh" +set +e # DON'T fail build if script fails. + +OS=$(facter operatingsystem) +case "$OS" in + Ubuntu) + SYSSTAT_PATH="/var/log/sysstat" + + # Dont run the script when systat is not enabled by default + if ! grep --quiet 'ENABLED="true"' "/etc/default/sysstat"; then + exit 0 + fi + ;; + CentOS|RedHat) + SYSSTAT_PATH="/var/log/sa" + ;; + *) + # nothing to do + exit 0 + ;; +esac + +SAR_DIR="$WORKSPACE/archives/sar-reports" +mkdir -p "$SAR_DIR" +cp "$SYSSTAT_PATH/"* "$_" +# convert sar data to ascii format +while IFS="" read -r s +do + [ -f "$s" ] && LC_TIME=POSIX sar -A -f "$s" > "$SAR_DIR/sar${s//[!0-9]/}" +done < <(find "$SYSSTAT_PATH" -name "sa[0-9]*" || true) + +# DON'T fail build if script fails. +exit 0 + + + + + + jenkins-log-archives-settings + + SETTINGS_FILE + + + + + + SERVER_ID=logs + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> create-netrc.sh" + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +NEXUS_URL="${NEXUS_URL:-$NEXUSPROXY}" +CREDENTIAL=$(xmlstarlet sel -N "x=http://maven.apache.org/SETTINGS/1.0.0" \ + -t -m "/x:settings/x:servers/x:server[x:id='${SERVER_ID}']" \ + -v x:username -o ":" -v x:password \ + "$SETTINGS_FILE") + +machine=$(echo "$NEXUS_URL" | awk -F/ '{print $3}') +user=$(echo "$CREDENTIAL" | cut -f1 -d:) +pass=$(echo "$CREDENTIAL" | cut -f2 -d:) + +echo "machine $machine login $user password $pass" > ~/.netrc + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> lftools-install.sh" + +# Script to install lftools via a version passed in via lf-infra-parameters +# +# Required parameters: +# +# LFTOOLS_VERSION: Passed in via lf-infra-parameters configuration. Can be +# set to a strict version number like '1.2.3' or using +# PEP-440 definitions. +# +# Examples: +# <1.0.0 +# >=1.0.0,<2.0.0 +# +# By default a released version of lftools should always be used. +# The purpose of the 2 variables below is so that lftools devs can test +# unreleased versions of lftools. There are 2 methods to install a dev version +# of lftools: +# +# 1) gerrit patch: Used to test a patch that has not yet been merged. +# To do this set something like this: +# LFTOOLS_MODE=gerrit +# LFTOOLS_REFSPEC=refs/changes/96/5296/7 +# +# 2) git branch: Used to install an lftools version from a specific branch. +# To use this set the variables as follows: +# LFTOOLS_MODE=git +# LFTOOLS_REFSPEC=master +# +# 3) release : The intended use case and default setting. +# Set LFTOOLS_MODE=release, in this case LFTOOLS_REFSPEC is unused. + +LFTOOLS_MODE=release # release | git | gerrit +LFTOOLS_REFSPEC=master + +# Ensure we fail the job if any steps fail. +# DO NOT set -u as virtualenv's activate script has unbound variables +set -e -o pipefail + +virtualenv --quiet "/tmp/v/lftools" +# shellcheck source=/tmp/v/lftools/bin/activate disable=SC1091 +source "/tmp/v/lftools/bin/activate" +pip install --quiet --upgrade pip + +case $LFTOOLS_MODE in + gerrit) + git clone https://gerrit.linuxfoundation.org/infra/releng/lftools.git /tmp/lftools + pushd /tmp/lftools + git fetch origin "$LFTOOLS_REFSPEC" + git checkout FETCH_HEAD + pip install --quiet --upgrade -r requirements.txt + pip install --quiet --upgrade -e . + popd + ;; + + git) + pip install --quiet --upgrade git+https://gerrit.linuxfoundation.org/infra/releng/lftools.git@"$BRANCH" + ;; + + release) + if [[ $LFTOOLS_VERSION =~ ^[0-9] ]]; then + LFTOOLS_VERSION="==$LFTOOLS_VERSION" + fi + + pip install --quiet --upgrade "lftools${LFTOOLS_VERSION}" + ;; +esac + +lftools --version + +# pipdeptree prints out a lot of information because lftools pulls in many +# dependencies. Let's only print it if we want to debug. +# echo "----> Pip Dependency Tree" +# pip install --quiet --upgrade pipdeptree +# pipdeptree + +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> logs-deploy.sh" + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +set -x # Trace commands for this script to make debugging easier. + +ARCHIVE_ARTIFACTS="${ARCHIVE_ARTIFACTS:-}" +LOGS_SERVER="${LOGS_SERVER:-None}" + +if [ "${LOGS_SERVER}" == 'None' ] +then + set +x # Disable trace since we no longer need it + + echo "WARNING: Logging server not set" +else + NEXUS_URL="${NEXUS_URL:-$NEXUSPROXY}" + NEXUS_PATH="${SILO}/${JENKINS_HOSTNAME}/${JOB_NAME}/${BUILD_NUMBER}" + BUILD_URL="${BUILD_URL}" + + lftools deploy archives -p "$ARCHIVE_ARTIFACTS" "$NEXUS_URL" "$NEXUS_PATH" "$WORKSPACE" + lftools deploy logs "$NEXUS_URL" "$NEXUS_PATH" "$BUILD_URL" + + set +x # Disable trace since we no longer need it. + + echo "Build logs: <a href=\"$LOGS_SERVER/$NEXUS_PATH\">$LOGS_SERVER/$NEXUS_PATH</a>" +fi + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## + +# Clear log credential files +rm "$SETTINGS_FILE" +rm ~/.netrc + + + + ^Build logs: .* + + + false + false + false + + + + + **/*.jenkins-trigger + EXCLUDE + + + false + false + + true + true + true + true + true + true + + + + + + 5 + BUILD_TIMEOUT + true + false + 0 + 3 + absolute + + + + test-credential + + + + diff --git a/.jjb-test/lf-ci-jobs.yaml b/.jjb-test/lf-ci-jobs.yaml index bb2dd42a..ecf365d9 100644 --- a/.jjb-test/lf-ci-jobs.yaml +++ b/.jjb-test/lf-ci-jobs.yaml @@ -3,6 +3,7 @@ name: gerrit-ci-jobs jobs: - "{project-name}-ci-jobs" + - gerrit-branch-lock project-name: gerrit-ciman diff --git a/jjb/lf-ci-jobs.yaml b/jjb/lf-ci-jobs.yaml index cebe4bc9..09dc191a 100644 --- a/jjb/lf-ci-jobs.yaml +++ b/jjb/lf-ci-jobs.yaml @@ -182,6 +182,76 @@ publishers: - lf-infra-publish +###################### +# Gerrit Branch Lock # +###################### + +- job-template: + name: '{project-name}-gerrit-branch-lock-{stream}' + id: gerrit-branch-lock + + ###################### + # Default parameters # + ###################### + + branch: master + git-url: '$GIT_URL/$GERRIT_PROJECT' + stream: master + gerrit_merge_triggers: + - comment-added-contains-event: + comment-contains-value: (un)?lock branch$ + + ##################### + # Job Configuration # + ##################### + + project-type: freestyle + node: '{build-node}' + + properties: + - lf-infra-properties: + project: '{project}' + build-days-to-keep: 1 + + parameters: + - lf-infra-parameters: + project: '{project}' + stream: '{stream}' + branch: '{branch}' + lftools-version: '{lftools-version}' + + wrappers: + - lf-infra-wrappers: + build-timeout: 5 + jenkins-ssh-credential: '{jenkins-ssh-credential}' + + scm: + - lf-infra-gerrit-scm: + git-url: '{git-url}' + refspec: '' + branch: '{branch}' + submodule-recursive: false + choosing-strategy: default + jenkins-ssh-credential: '{jenkins-ssh-credential}' + + triggers: + - gerrit: + server-name: '{gerrit-server-name}' + trigger-on: '{obj:gerrit_merge_triggers}' + projects: + - project-compare-type: ANT + project-pattern: '{project}' + branches: + - branch-compare-type: ANT + branch-pattern: '**/{branch}' + + builders: + - shell: !include-raw-escape: ../shell/gerrit-branch-lock.sh + + + publishers: + - lf-infra-publish + ############# # JJB Merge # ############# diff --git a/shell/gerrit-branch-lock.sh b/shell/gerrit-branch-lock.sh new file mode 100644 index 00000000..64d6ec9c --- /dev/null +++ b/shell/gerrit-branch-lock.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# Generates a patch to lock|unlock a branch in Gerrit +# +# Assumes that the project repository was cloned via ssh and thus uses ssh to +# install the git commit hook. + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +git fetch origin refs/meta/config:config +git checkout config + +install_gerrit_hook() { + ssh_url=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $1}') + ssh_port=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $2}') + + if [ -z $ssh_url ]; then + echo "ERROR: Gerrit SSH URL not found." + exit 1 + fi + + scp -p -P "$ssh_port" "$ssh_url":hooks/commit-msg .git/hooks/ + chmod u+x .git/hooks/commit-msg +} +install_gerrit_hook + +# Groups must be mapped in the groups file before they can be used +if ! grep 'Registered Users'; then + echo -e "global:Registered-Users\tRegistered Users" >> groups +fi + +mode=$(echo "$GERRIT_EVENT_COMMENT_TEXT" | grep branch | awk '{print $1}') +case $mode in + lock) + echo "Locking branch: $GERRIT_BRANCH" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.exclusiveGroupPermissions" "submit" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.submit" "block group Registered Users" + git commit -asm "Lock branch $GERRIT_BRANCH" + ;; + + unlock) + echo "Unlocking branch: $GERRIT_BRANCH" + git config -f project.config --remove-section "access.refs/heads/${GERRIT_BRANCH}" || true + git commit -asm "Unlock branch $GERRIT_BRANCH" + ;; + + *) + echo "ERROR: Unknown mode selected '$mode'." + exit 1 + ;; +esac + +git diff HEAD~1 +git push origin HEAD:refs/for/refs/meta/config