| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 889431: Fix null dereference in gitlab https://review.opendev.org/c/zuul/zuul/+/889431 | 14:23 | |
| @mfeder:matrix.org | Hi, | 14:27 |
|---|---|---|
| Zuul-Github CI pipeline-related question: | ||
| I would like to setup the pipeline on GitHub as follows: | ||
| - Pipeline should be triggered via PR comment "e2e-test" | ||
| - Pipeline should require PR label "ok-to-test" - label could be assigned to PR only by "trusted" GitHub account | ||
| - I've expected that `current-patchset: True` [0] associated the label with the latest commit in the PR and this prevents "untrusted" developers to push another commit which may expose some secrets | ||
| - This did not work. It is possible to push another commit to the PR and trigger pipeline via PR comment "e2e-test" | ||
| - Is it expected behavior? | ||
| In general, I want to protect a pipeline execution from "un-trusted" developers and introduce some pipeline conditions to ensure that. Would be great if mentioned condition is not `review approval` but something like a label. | ||
| [0] https://zuul-ci.org/docs/zuul/latest/drivers/github.html#attr-pipeline.require.%3Cgithub%20source%3E.current-patchset | ||
| @sean-k-mooney:matrix.org | hi folks. quick question. support for galaxy roles and collection in zuul has been pending for a long time. for the most part zuul roles just work for most cases however recently i have had need to use roles that include action plugns/modules... and since they are packaged as glaxy collection the plugins are not packaged inline in the role | 16:04 |
| @sean-k-mooney:matrix.org | has anyone ever managed to make that work with zull | 16:04 |
| @sean-k-mooney:matrix.org | im trying to avoid the current hack that is being used to work around it (using ansible shell/command to run ansible-playbook ... on the nodpool vm) | 16:05 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 889431: Fix null dereference in gitlab https://review.opendev.org/c/zuul/zuul/+/889431 | 16:08 | |
| @jim:acmegating.com | sean-k-mooney: that has not been implemented yet | 16:09 |
| @sean-k-mooney:matrix.org | yes im aware | 16:11 |
| @sean-k-mooney:matrix.org | im really just wonderign is there any way i could modify the zuul job so that i can include the plugins the same way i include the roles | 16:11 |
| @sean-k-mooney:matrix.org | i tried using AnsibleLibary and other similar options | 16:12 |
| @sean-k-mooney:matrix.org | basically my role works fine when urn with molecule[vagrant] locally so my fall back is just run that in the zuul vm | 16:13 |
| @sean-k-mooney:matrix.org | it almost works when i have zuul run the converge/verify playbooks. i was just trying to avoid nested virt but its always an option as is runing ansibel in a sub shell | 16:14 |
| @jim:acmegating.com | ah, sorry, i misunderstood your question. i suspect that the best way to accomplish that would be to implement the feature, but i think it depends somewhat on ansible's module loading behavior and rules. we don't really track that any more in zuul. maybe something in ansible 8 would make it easier. we just merged support for that. | 16:14 |
| @sean-k-mooney:matrix.org | ya this is not soemthing they document partically well | 16:15 |
| @sean-k-mooney:matrix.org | i have other jobs i can follow as a reference to the ansible in ansble approch i was just trying to avoid installing it on the test vm since it wont be there normally | 16:16 |
| @sean-k-mooney:matrix.org | ok ill see if i cna figure somethign else out and if not ill go back to the solution that work | 16:18 |
| @sean-k-mooney:matrix.org | thanks :) | 16:18 |
| @fungicide:matrix.org | the alternative is nested ansible | 17:56 |
| @fungicide:matrix.org | rather than try to use collections directly in the job playbooks run by the executor, have the job call an ansible on a test node and install whatever collections you want onto that test node | 17:56 |
| @fungicide:matrix.org | it's not a great solution, but it does at least work for some cases | 17:57 |
| @fungicide:matrix.org | sean-k-mooney: the main challenge with using collections directly in jobs is more or less the same as the challenge with pip installing arbitrary ansible modules (or other python libraries) for use by the ansible run on the zuul executor. if you have control of the executor which is being used, you could probably install the desired collections into the python environment(s) for the executor's ansible version(s) | 17:59 |
| @fungicide:matrix.org | but not arbitrary collections at job runtime | 17:59 |
| @sean-k-mooney:matrix.org | the problem was i am trying to test the collection | 18:02 |
| @sean-k-mooney:matrix.org | as in the collection is part of the git repo where the job is being defied | 18:02 |
| @sean-k-mooney:matrix.org | and im trying to test one of the roles in the collection | 18:03 |
| @sean-k-mooney:matrix.org | and that role just happens to use one of the other roles | 18:03 |
| @sean-k-mooney:matrix.org | so i dont actully want to pull it form galazy | 18:03 |
| @fungicide:matrix.org | you could likely do that with a nested ansible job | 18:03 |
| @sean-k-mooney:matrix.org | yep | 18:03 |
| @sean-k-mooney:matrix.org | that the current workaround in at least one of the repos | 18:03 |
| @sean-k-mooney:matrix.org | thats what im going to try ill create a python venv, install ansible and then galazy install the zuul cloned repo | 18:04 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 888627: Add AWS Kinesis support https://review.opendev.org/c/zuul/zuul/+/888627 | 18:04 | |
| @fungicide:matrix.org | that also gives you the option of testing changes to your collection with versions of ansible and python which aren't supported on the zuul executor itself | 18:04 |
| @sean-k-mooney:matrix.org | yep it just feels wrong to run ansible in ansible but its better then not testing it | 18:05 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 889649: Add missing aws mock cleanup https://review.opendev.org/c/zuul/nodepool/+/889649 | 18:06 | |
| @jim:acmegating.com | honestly, if the goal is to test a general purpose ansible collection, i think what you're doing/will do is still the right way, even if this feature were implemented in zuul. for more or less the reasons fungi just mentioned. i think the [missing] feature in zuul would be better limited to just zuul-specific modules | 18:08 |
| @sean-k-mooney:matrix.org | this is the acual failure i got https://review.rdoproject.org/zuul/build/6a6fde97aeff4ee7bf09dcd29c17b7b8/log/job-output.txt#1167 | 18:08 |
| @sean-k-mooney:matrix.org | so it ran my role until i tried to use a role form the collection by fully qulaifed name | 18:09 |
| @sean-k-mooney:matrix.org | if i dont fully qulify it it will likely work | 18:09 |
| @sean-k-mooney:matrix.org | but then im execting it to fail because the plugin is not insalled on the zuul executor | 18:09 |
| @sean-k-mooney:matrix.org | that what happens if i dont fully qualify in molecule | 18:10 |
| @sean-k-mooney:matrix.org | so ya im just going to ansible in ansible for now | 18:10 |
| @fungicide:matrix.org | it's turtles all the way down | 18:11 |
| @sean-k-mooney:matrix.org | i mean im testing a role to deploy libvirt as part of deploying openstack on openshift and rhel (vai ansibel) on a ci system that uses openstack to create vms which then use ansible to run the job | 18:13 |
| @sean-k-mooney:matrix.org | so yep | 18:13 |
| @fungicide:matrix.org | that's a lot of turtles indeed | 18:14 |
| @sean-k-mooney:matrix.org | im just sad that the job was almost | 18:14 |
| @sean-k-mooney:matrix.org | pre-run: | 18:14 |
| - roles/edpm_libvirt/molecule/default/prepare.yml | ||
| - roles/edpm_libvirt/molecule/default/converge.yml | ||
| run: | ||
| - roles/edpm_libvirt/molecule/default/verify.yml | ||
| @sean-k-mooney:matrix.org | i really like it when zuul josb are written so you can repoduce them eaisly locally | 18:15 |
| @sean-k-mooney:matrix.org | which is why i started with molecule and then was trying to reuse that directly in the zull job | 18:16 |
| @sean-k-mooney:matrix.org | anyway im going to call it a day. thanks again for confirming that ansible in ansibel is proably the best approch | 18:16 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 887907: Use low-level OpenStack SDK calls for server listing https://review.opendev.org/c/zuul/nodepool/+/887907 | 18:29 | |
| @mfeder:matrix.org | hello folks, could you please explain what the `current-patchset` option means in the context of Github? | 19:33 |
| - https://zuul-ci.org/docs/zuul/latest/drivers/github.html#attr-pipeline.require.%3Cgithub%20source%3E.current-patchset | ||
| - an example would be helpful thx | ||
| @mfeder:matrix.org | * hello folks, could you please explain what the `current-patchset` option means in the context of Github? what is the `item` mentioned in the docs? | 19:34 |
| - https://zuul-ci.org/docs/zuul/latest/drivers/github.html#attr-pipeline.require.%3Cgithub%20source%3E.current-patchset | ||
| - an example would be helpful thx | ||
| @jim:acmegating.com | mfeder: the item is referring to the pull request in that case. most likely relevent if zuul is processing an event that is related to an earlier version of the pr (ie, the commit pointer has been updated since then). | 19:37 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!