From 60de765fa0c8dac1654b11ded4b3986db0ec681c Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Tue, 28 Nov 2023 15:04:53 -0500 Subject: [PATCH] Implement openstack-unmaintained-core group Create a gerrit group to handle branches in Unmaintained status across all projects, as described in TC resolution 2023-11-14, which is commit 90982cd in the governance repository. Also adjust the acl file normalization tool so that it will guarantee that the Release Managers group has 'abandon' permission on Unmaintained branches if any project chooses to override the global openstack-unmaintained-core group with a project-specific unmaintained core team (as is allowed by TC resolution 2023-11-14). This entails a change in that script to require the acl file's namespace be passed in so that the check doesn't affect non-OpenStack OpenInfra projects. Change-Id: Ife8e5f175cb8a7d396dfe2a5d52fd6d524ae0b43 --- gerrit/acls/openstack/meta-config.config | 13 +++++++++ tools/check_valid_gerrit_config.sh | 7 +++-- tools/normalize_acl.py | 37 ++++++++++++++++++++---- 3 files changed, 50 insertions(+), 7 deletions(-) diff --git a/gerrit/acls/openstack/meta-config.config b/gerrit/acls/openstack/meta-config.config index 0ff49617f6..2d65c2e362 100644 --- a/gerrit/acls/openstack/meta-config.config +++ b/gerrit/acls/openstack/meta-config.config @@ -4,6 +4,19 @@ createSignedTag = group Release Managers delete = group Release Managers +[access "refs/heads/unmaintained/*"] + abandon = group Change Owner + abandon = group Project Bootstrappers + abandon = group Release Managers + abandon = group openstack-unmaintained-core + exclusiveGroupPermissions = abandon label-Code-Review label-Workflow + label-Code-Review = -2..+2 group Project Bootstrappers + label-Code-Review = -2..+2 group openstack-unmaintained-core + label-Code-Review = -1..+1 group Registered Users + label-Workflow = -1..+0 group Change Owner + label-Workflow = -1..+1 group Project Bootstrappers + label-Workflow = -1..+1 group openstack-unmaintained-core + [receive] requireChangeId = true requireContributorAgreement = true diff --git a/tools/check_valid_gerrit_config.sh b/tools/check_valid_gerrit_config.sh index 01e85954c2..574e855cbd 100755 --- a/tools/check_valid_gerrit_config.sh +++ b/tools/check_valid_gerrit_config.sh @@ -13,13 +13,16 @@ declare -i NUM_TESTS=0 function check_team_acl { local configs_dir="$1" + local namespace local configs_list - echo "Checking" $(basename $configs_dir) + namespace="$(basename $configs_dir)" + echo "Checking $namespace" configs_list=$(find $configs_dir -name "*.config") for config in $configs_list; do let "NUM_TESTS+=1" - $OLDPWD/tools/normalize_acl.py $config all > $TMPDIR/normalized + $OLDPWD/tools/normalize_acl.py $namespace $config all \ + > $TMPDIR/normalized if ! diff -u $config $TMPDIR/normalized >>config_failures; then echo "Project $config is not normalized!" >>config_failures diff --git a/tools/normalize_acl.py b/tools/normalize_acl.py index 54fa4e4401..6b79b2136b 100755 --- a/tools/normalize_acl.py +++ b/tools/normalize_acl.py @@ -11,9 +11,13 @@ # License for the specific language governing permissions and limitations # under the License. -# Usage: normalize_acl.py acl.config [transformation [transformation [...]]] +# Usage: normalize_acl.py NAMESPACE acl.config [transform [transform [...]]] # -# Transformations are described in user-facing detail below +# The NAMESPACE specifies the OpenInfra project, e.g., 'openstack', and +# conventionally corresponds to the directory name containing that project's +# acl files. +# +# Transforms are described in user-facing detail below # # Transformations: # all Report all transformations as a dry run. @@ -83,19 +87,39 @@ The current transformations LAST_TRANSFORMATION = 10 -aclfile = sys.argv[1] +USAGE_STRING = ("Usage:\n normalize_acl.py NAMESPACE acl.config [transform " + "[transform [...]]]\n or 'normalize_acl.py -help' for info " + "on the available transforms") + + +try: + namespace = sys.argv[1] +except IndexError: + print('error: missing NAMESPACE or -help') + print(USAGE_STRING) + sys.exit(1) # NOTE(ianw) : 2023-04-20 obviously we would not write any of this # like this if we were starting fresh. But this has grown from a # simple thing into something difficult for people to deal with. If # we have any errors during the tox job, we use this to print out a # help message. -if (aclfile == '-help'): +if (namespace == '-help'): print(NORMALIZATION_HELP) sys.exit(1) try: - transformations = sys.argv[2:] + aclfile = sys.argv[2] +except IndexError: + print('error: missing acl filespec') + print(USAGE_STRING) + sys.exit(1) + +# TODO(rosmaita): refactor this, there's nothing in the 'try' +# that will raise a KeyError, and in any case, an out-of-range slice +# reference already returns an empty list +try: + transformations = sys.argv[3:] if transformations: RANGE_END = LAST_TRANSFORMATION + 1 if transformations[0] == 'all': @@ -306,6 +330,9 @@ if '8' in transformations: if 'abandon' in exclusives: newsection.append('abandon = group Change Owner') newsection.append('abandon = group Project Bootstrappers') + if (namespace == 'openstack' + and 'refs/heads/unmaintained' in section): + newsection.append('abandon = group Release Managers') if 'label-Code-Review' in exclusives: newsection.append('label-Code-Review = -2..+2 ' 'group Project Bootstrappers')