Commit Graph

8 Commits (master)

Author SHA1 Message Date
Jeremy Stanley 464f4f586a
Indent Gerrit ACL options
Gerrit very much wants its ACLs to indent option lines (but not
section headings) by a single hard tab.

The recent migration to schema 185 with Gerrit 3.7 has updated
copyConditions flags and re-written most of the ACL files to look like
this (c.f. I1f11c07e3786bd1a68b43d908d939fde42ddb99c).

This updates the normalize tool to format like this, and modifies all
our ACL's to the new format.

This is intended to be a no-op with no functional change.  For future
upgrades, this will reduce the diffs of any updates Gerrit might make.

Change-Id: I3a0c0da1eb32f8afb31ffa0c24ea45aaca8da8cc
2 months ago
Jeremy Stanley 0d066f954d Remove unsigned tagging permission from projects
Now that we have a fix in place for Gerrit's tag signature detection
regression, remove the unsafe permission for pushing unsigned tags
to return everything to the state we had prior to the 3.4 upgrade.

Change-Id: Ia9afb5fb4be311cca59d3e1cf3b7bc611184fe15
1 year ago
Jeremy Stanley 83ca7a97f9 Work around signed tag regression from Gerrit 3.4
Upon upgrading from Gerrit 3.3 to 3.4, a regression was observed in
which jgit no longer returns signatures in its tag messages, causing
Gerrit to misidentify signed tags as unsigned (annotated) tags.
Because our ACLs only allow signed tags to be pushed, this
regression prevents Gerrit from accepting them now.

Temporarily grant permission to push unsigned tags to anyone who
has permission to push signed ones. We will revert that as soon as a
fixed Gerrit is in place, but in the meantime users will be warned
to take care when pushing tags so that they don't accidentally push
actually unsigned tags to Gerrit.

Also, the pushSignedTag keyword was deprecated in favor of the new
createSignedTag name, so go ahead and update to that while we're
doing this so that we can limit the amount of churn across all these
ACLs. Documentation will be corrected to recommend the new format in
a separate change, but update the ACL linter now to prevent the old
syntax from being used in new projects.

This workaround was already tested on opendev/bindep in the parent
Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793 change, and confirmed to
function as intended.

Change-Id: Ia426ea36b4e6877fdce5725ff1e00ae02c62e3f4
1 year ago
Paul Belanger 078d3f16f3 Create ansible-role-boto3 project
We'll be using this in the windmill project to help managed boto3 which
is a nodepool dependency.

Change-Id: I99ede4f0fbabdce26fc981a38e75854d97f5b337
Signed-off-by: Paul Belanger <>
3 years ago
Paul Belanger 8eaf6af04b Add ansible-role-zuul-registry role for windmill
We'll be using this role to deploy for windmill usage.

Change-Id: Iadc1dbbeb6b348ff84460b4043d30c1a2630164a
Signed-off-by: Paul Belanger <>
4 years ago
Paul Belanger 7cdb577978 Set requireContributorAgreement false for windmill roles
We don't need to enforce a CLA here. Remove it to be a little more
friendly to new contributors.

Change-Id: Ib1523234c28bd397d0408e25905fb7905fad1a12
Signed-off-by: Paul Belanger <>
4 years ago
Paul Belanger 4e44900bf6 Add windmill-ops / ansible-role-elasticsearch
These repos will be used to start adding elastic search support to
windmill. Day 2 operations related to digging deeper into zuul logs.

Change-Id: I97fc69c63b92c27dd33abc35d4e0fc7b72d74eda
Signed-off-by: Paul Belanger <>
4 years ago
OpenDev Sysadmins aca4bbb900 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at with any
questions you may have.
4 years ago