feat(tools/crfo-approve): Add tool for CRFO depot-interventions
In some cases we want to be able to "emergency approve" something on behalf of a different user. Example cases: * clean up of abandoned directories with restrictive OWNERS * security fixes blocked on people in different timezones This script can be used to perform these approvals if the user is a member of depot-interventions. Note that access to depot-interventions is audit logged. The user on behalf of whom approval is performed is always added to the attention set to ensure that they are made aware of the CRFO approval. Note: This depends on nixpkgs#156466. Keeping WIP until we have a channel with that patch. Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085 Tested-by: BuildkiteCI Reviewed-by: kn <klemens@posteo.de> Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
parent
f82f459e2c
commit
3452569ddd
1 changed files with 52 additions and 0 deletions
52
tools/crfo-approve.nix
Normal file
52
tools/crfo-approve.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
# Helper script to run a CRFO approval using depot-interventions.
|
||||||
|
#
|
||||||
|
# Use as 'crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF'.
|
||||||
|
#
|
||||||
|
# Set credential in GERRIT_TOKEN envvar.
|
||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
pkgs.writeShellScriptBin "crfo-approve" ''
|
||||||
|
set -ueo pipefail
|
||||||
|
|
||||||
|
if (($# != 4)) || [[ -z ''${GERRIT_TOKEN-} ]]; then
|
||||||
|
cat >&2 <<'EOF'
|
||||||
|
crfo-approve - Helper script to CRFO approve a TVL CL
|
||||||
|
|
||||||
|
Requires membership in depot-interventions to work.
|
||||||
|
|
||||||
|
Gerrit HTTP credential must be set in GERRIT_TOKEN envvar.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
export PATH="${pkgs.lib.makeBinPath [ pkgs.httpie pkgs.jq ]}:''${PATH}"
|
||||||
|
|
||||||
|
readonly CL_ID="''${1}"
|
||||||
|
readonly PATCHSET="''${2}"
|
||||||
|
readonly REAL_USER="''${3}"
|
||||||
|
readonly TOKEN="''${GERRIT_TOKEN}"
|
||||||
|
readonly ON_BEHALF_OF="''${4}"
|
||||||
|
readonly URL="https://cl.tvl.fyi/a/changes/''${CL_ID}/revisions/''${PATCHSET}/review"
|
||||||
|
|
||||||
|
# First we need to find the account ID for the user
|
||||||
|
ACC_RESPONSE=$(http --check-status 'https://cl.tvl.fyi/accounts/' "q==name:''${ON_BEHALF_OF}" | tail -n +2)
|
||||||
|
ACC_LENGTH=$(echo "''${ACC_RESPONSE}" | jq 'length')
|
||||||
|
|
||||||
|
if [[ ''${ACC_LENGTH} -ne 1 ]]; then
|
||||||
|
echo "Did not find a unique account ID for ''${ON_BEHALF_OF}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
ACC_ID=$(jq -n --argjson response "''${ACC_RESPONSE}" '$response[0]._account_id')
|
||||||
|
echo "using account ID ''${ACC_ID} for ''${ON_BEHALF_OF}"
|
||||||
|
|
||||||
|
http --check-status -a "''${REAL_USER}:''${TOKEN}" POST "''${URL}" \
|
||||||
|
message="CRFO on behalf of ''${ON_BEHALF_OF}" \
|
||||||
|
'labels[Code-Review]=+2' \
|
||||||
|
on_behalf_of="''${ACC_ID}" \
|
||||||
|
"add_to_attention_set[0][user]=''${ACC_ID}" \
|
||||||
|
"add_to_attention_set[0][reason]=CRFO approval through depot-interventions"
|
||||||
|
''
|
Loading…
Reference in a new issue