Currently this functionality is provided by a shell script stored in
/etc/secrets (which has the password value hardcoded).
This needs to happen in a separate commit from the one that changes
the pipeline to avoid breaking it (it needs to be deployed first).
Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
We already checked this in, but this commit adds the configuration for
making use of it.
There are two copies of besadii's JSON configuration with different
permissions.
Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.
Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
This makes this function a true rubberstamp again, leading to
rubberstamped CLs automatically being merged after CI passes.
This is similar to the initial functionality we had last year, where
this directly submitted changes, but with the addition of the CI
checks.
Change-Id: I946b074b968eb18a64c4edb0043f7a4af28759b4
This almost makes for a sort of fire&forget button, except we don't
have a way to automatically pick reviewers yet :)
Change-Id: I6f446270f8aaf0409ccb6321bdbb5c349079cd19
... this option really is a pitfall! The list of programs is now the
same as in the upstream module, plus curl and jq.
Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.
The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.
To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.
For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH
Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.
I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.
Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
In autosubmit cases that require rebases, the change *uploader* might
be clbot which would cause besadii to use clbot as the owner.
This is incorrect, but luckily the change-merged event has an actual
owner field instead.
Change-Id: Ia35b52085f94628e61eb358807b3b85565521b60
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.
Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.
I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.
Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
Detects autosubmitted CLs (other people's CLs submitted by clbot) and
modifies the text submitted to IRC accordingly.
If a CL is autosubmitted, we opt to highlight its author rather than
invoking noping.
Change-Id: Ibc21b7eeb2f0f2087097404baef6976384d68b09
This step would get inserted at the wrong point in the build pipeline
otherwise, causing a dependency cycle and causing the pipeline to fail.
Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
This simplifies the fallback logic used in case of Nix evaluation
failure and makes it so that the evaluation step itself is the one
that is marked as failed in Buildkite.
This is possible because the pipeline upload command will insert new
steps at the point where it runs in the pipeline, and not later.
Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.
Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
This is not yet including the secret configuration for gerrit-queue,
and just expects the secret (gerrit username & password) to be
available in /etc/secrets.
Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
This is required for a simplification of the build pipeline (following
CL) and needs to be in a separate commit as it can not be done
atomically (merging the other commit to deploy it would immediately
break pipelines otherwise).
Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
Imported from github/tvlfyi/gerrit-queue, originally from
github/tweag/gerrit-queue but that upstream is unmaintained.
git-subtree-dir: third_party/gerrit-queue
git-subtree-mainline: ff10b7ab83
git-subtree-split: 24f5a642af
Change-Id: I307cc38185ab9e25eb102c95096298a150ae13a2
The upstream isn't really maintained anymore, so we may as well take
it over since we're patching it anyways.
Change-Id: I7dddc03ab90b00611520a77a26e73a5be1c2cfb8
This is a Gerrit autosubmit bot (actually written by flokli) which we
intend to use.
For now we're using the plain upstream version, but we'll want to
patch some of the behaviours of it so there's a vendoring on the
horizon.
Change-Id: I021d41b55f9f678435d9aec6d359545577cb9ec0
This moves to using a Gerrit label ('Autosubmit') with boolean values
for determining whether a developer wants to have a change
automatically submitted.
See also https://cl.tvl.fyi/c/depot/+/4172
Bound to `A g`, this behaves similarly to `magit-gerrit-checkout` - it
prompts for a CL number, then cherry-picks the latest patchset of that
CL number
Change-Id: Ieef970b99d96170e8c960cc7687ead9022948f8b
A lot has happened in the meantime (EXWM maintainer change) and this
pulls in all the relevant changes since then.
It may become unnecessary to keep EXWM subtreed, but we'll get to that
later.
Change-Id: I45cc06d747d84b3d28fd0db0e4bb3b749a956583
Sets up the key set and adds an initial secret (besadii config with
tokens) to be deployed to whitby.
Change-Id: Ic07fd5e66b9e7a533013e04c35e052c2aa11f77d
This behaviour was previously confusing, since readTree's data
structure treats children from Nix files and directories as identical
but only one of them would be affected by .skip-subtree
The "subtree" to be skipped here refers to all children of the
structure.
Change-Id: Idf596c9823f09cc2acf49523916bde4b801b8519
