Wednesday, 2025-08-20

« Tuesday, 2025-08-19 Index Thursday, 2025-08-21 »
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 956821: Fix test_gerrit_cherry_pick_web_with_update_queue https://review.opendev.org/c/zuul/zuul/+/95682100:24
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 956822: Fix test_nonexistent_lock and test_efficient_removal https://review.opendev.org/c/zuul/zuul/+/95682200:28
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 957267: Run build-js directly from PBR setup hook https://review.opendev.org/c/zuul/zuul/+/95726700:29
@amusso:matrix.orgI have a patch for nodepool that replaces the busy loop `while true; do sleep 30; done;` by `sleep infinity`.  That has been supported by sleep for a decade :]   James gave it a +2, I am not sure who else can +2/ Workflow +1 hence this ping08:41
-@gerrit:opendev.org- Antoine Musso proposed: [zuul/zuul] 939623: Use fully qualified image names in Docker compose https://review.opendev.org/c/zuul/zuul/+/93962308:43
@fungicide:matrix.orgAntoine Musso: wow, that's really cool! i learned something new today, and the day's just getting started13:02
@fungicide:matrix.orgi use and have used pointless while loops for this most of my life13:02
@fungicide:matrix.orggranted i usually abbreviate `true` to `:` when i do it because it's less typing13:03
-@gerrit:opendev.org- Zuul merged on behalf of Antoine Musso: [zuul/nodepool] 951809: Change entry point busy loop to 'sleep infinity' https://review.opendev.org/c/zuul/nodepool/+/95180913:26
@jangutter:matrix.orgOh man, I'm feeling like I'm missing something very obvious. I'm testing something in a new Zuul setup, and realised that the gerrit reporter does not propagate the build's log URL correctly: "Build succeeded (check pipeline). " and then "* job-name build/UUID : SUCCESS in 1m 12s". It prints the text, but not the link.13:42
@jangutter:matrix.orgI'm reasonably sure this is something stupidly obvious that I missed in the setup.13:42
@fungicide:matrix.orgjangutter: did you set the baseurl in the connection? probably review https://zuul-ci.org/docs/zuul/latest/drivers/gerrit.html#connection-configuration to see what you might be lacking13:48
@jangutter:matrix.orgfungi: AAAARGH thanks so much, that was driving me nuts.13:49
@fungicide:matrix.organy time13:51
@jangutter:matrix.orgfungi: it was web.root in zuul.conf!14:36
@fungicide:matrix.orgaha, yeah that'd do it14:44
@jangutter:matrix.orgPretty sure I set that value in our other setup, 5 years ago.14:45
@fungicide:matrix.orghttps://discuss.python.org/t/pre-pep-trusted-publishing-token-exchange/103067 is potentially interesting in conjunction with zuul's recent oidc token features17:24
@fungicide:matrix.orgmight at least make sense to participate in the pep drafting in order to make sure that a zuul deployment could function as a trusted publisher17:25
@jim:acmegating.comfungi: didn't they decide that they didn't want to interact with any trusted publishers except github and gitlab?17:33
@fungicide:matrix.orgcorvus: pypi did, but they said that was for their initial poc and they would revisit that if other major code hosts asked17:35
@fungicide:matrix.orgthis is more of a packaging repository standard beyond just pypi though17:36
@fungicide:matrix.orgi.e. how pypi-like repositories should support trusted publishing workflows, whether that's the pypi.org warehouse deployment or some other (public or internal) python package repository17:38
@jim:acmegating.comyeah, so with this pep, then someone other than pypi who was running a pypi-compatible index could indicate that they trust zuul and twine could upload to that non-pypi using federated oidc17:38
@fungicide:matrix.orgright. twine in a zuul job could do that as long as the job passed in the right key material17:39
@jim:acmegating.commakes sense; i doubt zuul needs to do anything for this.  what would be helpful is if pypi allowed that federation, then some real-world jobs we know about could use that (and, later, this).17:40
@fungicide:matrix.orgyeah, i guess it's a question of whether zuul is a go-between for another idp or is acting as an idp17:41
@jim:acmegating.comi've configured zuul's oidc federation in both aws and azure... they both make it really easy to add a federated endpoint and assign it roles.  it's disappointing pypi didn't do something similar.  but even if they just added opendev, that would be something.17:42
@fungicide:matrix.orgi think the oidc functionality in zuul would obtain an upload token from an idp and then use that in the job?17:42
@jim:acmegating.comnah, it generates its own token.  zuul is the idp.17:42
@fungicide:matrix.orgpossible i'm not entirely up to speed on the possible workflows we have for that now17:42
@jim:acmegating.comso what pypi (or, with this, some other registry) does is they say "i trust zuul to correctly represent to me that it is running a job for this repo"17:43
@fungicide:matrix.orgyeah, i think github.com and gitlab.com operate as idps which pypi.org trusts for this, rather than trusting a more general-purpose idp17:43
@fungicide:matrix.orgokay, so currently aws/azure trust the zuul install as an idp17:43
@jim:acmegating.comyes, and with pypi's model today as they implemented it, they could add "zuul.opendev.org" as one of their trusted publishers.17:44
@fungicide:matrix.orgso, right, it's the "trust this set of idps for my package uploads" functionality pypi is actually missing, they just hard-coded it to two17:44
@fungicide:matrix.organd i agree that's not really a protocol problem17:45
@jim:acmegating.comwell, i think there even still is a step where you indicate which of their trusted publishers is trusted for your pypi projects17:45
@jim:acmegating.comso they even already have that17:45
@jim:acmegating.comthey just don't have the workflow for "add an arbitrary new trusted publisher"17:46
@jim:acmegating.comlooking at https://docs.pypi.org/trusted-publishers/adding-a-publisher/ i suspect there are a number of reasons for that.  one is probably simply that it's extra workflow steps in the pypi web app that they'd have to implement.  another may be that they want to pre-define the rules for how pypi interprets the jwt.  they know what a token from github looks like, so they hard-code the rules that say "if it's a github token, expect a "sub" that looks like this".  in generic systems like aws/azure, you add rules to match the token issued by zuul.  pypi could do that too, but it's another opportunity for users to get something wrong, and if i know the pypi folks, they would rather not abide that.17:49
@jim:acmegating.comanyway, maybe we should ask pypi to add opendev.17:50
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed:17:57
- [zuul/zuul] 958113: Launcher: fix loop error in ready node processing https://review.opendev.org/c/zuul/zuul/+/958113
- [zuul/zuul] 958114: Launcher: handle resuming accepting a request https://review.opendev.org/c/zuul/zuul/+/958114
@fungicide:matrix.orgcorvus: on that note, there's also https://docs.pypi.org/trusted-publishers/internals/#how-do-i-become-a-trusted-publishing-provider that is apparently not very discoverable but di just linked in the dpo discussion18:39
@fajfer:reszka.orghm, even though I managed to build zuul-web and pass all tests it still produced an artifact that doesn't really work for the end user18:43
@fajfer:reszka.orgI guess more tests won't hurt if it eventually can go that way18:45
@jim:acmegating.comfungi: yep, just a matter of whether opendev is "notable"18:55
@jim:acmegating.comfungi: oh, mutability may be in question18:56
« Tuesday, 2025-08-19 Index Thursday, 2025-08-21 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!