I have added an infra-root E-mail alias for a new
weblate@openstack.org account in id.openinfra.dev, created an
account in openstack.weblate.cloud with that ID, and used it to
generate a Weblate REST API key. This change updates the previous
placeholder secret with one containing the new key.
Change-Id: I88c5ee4d3847fc4a59130f746cbfb8609df08939
To migrate i18n translation platform from zanata to weblate,
add a weblate api key in zuul secret.
Change-Id: I9170509a99d6164de9fc93d729219c3007fc64f7
OpenStack contributors have worked out a solution for enabling FIPS
testing on Ubuntu nodes, which normally requires a paid
subscription. The "token" field of the "openstack_ubuntu_fips"
secret supplied here can be applied to a test node early during job
setup by calling "pro attach {{ token }}" as root.
The secret will be replaced periodically, in order to make any
entitlement exfiltrated from job nodes unattractive for production
use.
Change-Id: I9fb9758f8deddc3c76fb22fc859291dea8cfcd43
This converts the pypi uploads to use an API token, rather than
username/password authentication.
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/849597
Change-Id: I350a1fda75d76ac19546864dd01394adcd417348
This is a zuul-encrypted export of the signing subkey for the Zed
release cycle: 0xa63ea142678138d1bb15f2e303bdfd64dd164087
This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html
Change-Id: I86e393994c80b0d73df21e62182a75e4b047b1c7
When we replaced the Gerrit server some months back, we missed
updating SSH key secrets where its old addresses were hard-coded.
Fix them to match our present reality.
Change-Id: I48663badcccf3f3b4b27573d5be5ad27656019e2
This is a zuul-encrypted export of the signing subkey for the
Yoga release cycle: 0x01527a34f0d0080f8a5db8d6eb6c5df21b4b6363
This was created using the updated instructions from change
I7008706aae06b6e4a16db2dd85a8c7f91530cd50.
Change-Id: Ice1bdc121dfa8fd3e33b5f237848ae1417087ee4
Adjust the afsdocs_secret-tox-docs-site secret to use the new
targets tree expected by the opendev-promote-docs-base job expects.
This should solve recent failures for the promote-airship-project-docs
job when run triggered from any branch other than master
Change-Id: If454c0dfc126e23e92a68356acd7ec7e50a6c51c
Adjust the afsdocs_secret-openstack-manuals secret to use the new
targets tree expected by the opendev-promote-docs-base job expects.
This should solve recent failures for the promote-openstack-manuals
job.
Change-Id: I208dec5a1d790e97c7e7844ed384db27fa53e3af
This updates the promote and publish secrets and jobs to no longer
rely on jinja templates in secrets since Zuul removed support for
that.
Instead, we pass in only known safe static variables (ie, the "zuul"
hierarchy).
Change-Id: I4ea24dadf24437222373853cf70908d82e3dbbc3
This is a zuul-encrypted export of the signing subkey for the
Xena release cycle: 0x4c29ff0e437f3351fd82bdf47c5a3bc787dc7035
Note that this key is much shorter, owing to it being ECC instead of
RSA. This was created using the updated instructions from change
Ibb1c5ae8c540713e1c39d0000497c6b8b89b67c8.
Change-Id: I33581d695cfe1bbcd98f9b5fc5dc38afe42066ba
Gerrit has shuffled the order in which it returns host keys, and
ssh clients can get confused if the first host key type they support
in the list isn't included in the known_hosts file already. Just go
ahead and include all the host keys our Gerrit provides.
Change-Id: I15cdf24d9b3a372a7c8ad1aef97baa3b5eeefab0
This is a zuul-encrypted export of the signing subkey for the
Wallaby release cycle: 0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da
Change-Id: I91b897956a3aa413c1a9b2ddd06d6a582665584e
Opendev no longer automatically creates repositories on the
GitHub mirror, nor does it update descriptions or closes open PRs.
Add a playbook and a job for periodically maintaining the GitHub
mirror for the 'openstack' organization:
- updating descriptions based on Gerrit project descriptions
- creating on GitHub newly-added openstack repositories
- archiving from GitHub recently-retired openstack repositories
- closing any open PR with a healpful message
This job makes use of a GitHub API token (from the openstack-mirroring
user) and is defined to run periodically on project-config.
Change-Id: Ic02f436eb655dcbe84824b304ea2933e16312e67
This is a zuul-encrypted export of the signing subkey for the
Victoria release cycle: 0x2426b928085a020d8a90d0d879ab7008d0896c8a
Change-Id: I6f55b874c154dff09568834e0c30ec7eb5dc0b29
We're currently adding the private key of a jenkins user. But we
don't use jenkins, so this is lame. Use the zuul deploy key for
project-config instead.
This needs to run as project-config so that per-project deploy
keys work. To do that, shift it from being triggered by irc-meetings
to being triggered hourly by project-config.
As a followup, we should probably convert this to just publish to
AFS and serve the content from there.
Depends-On: https://review.opendev.org/721098
Change-Id: I7874ef46a616e8fd68cf8d95afc3928d3440ba51
This change inroduces the usage of the parent job which enforces
a project name inside of it to avoid a project from mirroring
maliciously to another one.
It reparents it to the nodeless job inside opendev, enforeces the
setting of target_repository inside the secret so it cannot be modified
and fixes the `user` to point to `git` instead.
This reverts commit 04133b4bcc.
Change-Id: Iac5db122eb41709dffcdae675137723cd49fca8f
Create a openstack-mirror-on-github job that uses the
openstack-mirroring user on GitHub (and its SSH key) to
individually mirror repositories to the "openstack"
organization on GitHub.
That will allow us to turn off global replication of the
'openstack/* repositories at Gerrit-level.
Enable the new job on openstack/release-test as a test. It
should be able to run concurrently with Gerrit-wide
mirroring as this is an indempotent operation.
Once this merges and is validated, we can apply the job to
all official/active openstack projects, before disabling the
Gerrit-wide replication (see https://review.opendev.org/718478).
Change-Id: Ie7b4f520d6f47d56a71c812dcc06fd5d26da8fe0
These secrets were related to jobs uploading the the static
logs.openstack.org server, which is not longer used. Remove them.
Story: #2006598
Task: #37735
Change-Id: Iaa7fc45c25df57a9ee70088ace17f228884160e4
playbooks/publish/service-types.yaml is not used anymore, with AFS
publishing it got obsoleted and can now be removed.
site_specs and site_specs_promote are not used anymore, remove them.
Change-Id: I0c3ca2455b4f8b721d48d44780dbc397ddc9cb20
Remove publish-tox-docs-static, the last user has been converted to AFS
publishing.
Remove the parent base-publish-tox-docs-static as well, it's not used
anymore.
Remove playbook files and secrets used by these jobs.
Depends-On: https://review.opendev.org/708918
Change-Id: I68b3ab7e597e230617ec1eaa8217d4f5f4c5fb15
Following-on from Ia3a0358249e9ed3d766b1b61535f2f6d67d4eb2d, this
removes the publishing from the static site, which is now happening to
AFS.
The site_tarballs secret is no longer required. The two jobs still
using it have a parent of publish-openstack-artifacts so should not
need a separate secret.
Depends-On: https://review.opendev.org/706732
Change-Id: I1b1db7d2451d7fb1fdd7921e7c9efd0e020fbce6
This is an encoding of the keytab updated in
I94f0f68fa0d5383c8a71fd6e065349d7b887a8e4
Change-Id: Ie300fbb9c464bcd5773eb1348b8481e7ebd0c17f
Story: #2006598
Task: #38607
This is part of our efforts to get tarball publishing onto AFS volumes
[1].
Test a new artifact publishing job that puts output at
/afs/.openstack.org/project/tarballs.opendev.org. This is intended to
replace the existing publishing job when it is working.
[1] https://docs.opendev.org/opendev/infra-specs/latest/specs/retire-static.html
Change-Id: Ied96194e1904fee232e144a4e89ec8ba2252e42e
The promote jobs do not use "path", they use "docs...path" instead,
remove the extra unused variable.
Change-Id: I57deeadfef3234eecb3f637a6f41701dba4631c6
This is a zuul-encrypted export of the signing subkey for the Ussuri
release cycle: 0xbba3b1e67a7303dd1769d34595bf2e4d09004514
Change-Id: Id46052bb18734d2050b90da339e46596fd3964e8
Add base job and secret for moving from publishing to
static.o.o to AFS publishing.
Story: 2006598
Task: 36854
Change-Id: I094066c1ab3b55ae6cfae99aafff125128cd73a4
Create new promote jobs for infra-index and docs-site.
Also, add promote-openstack-specs job that we can use for publishing
all specs site later.
Add the same file list (copied from openstack-zuul-jobs) for the two
project-config promote jobs.
Remove the now obsolete publish jobs.
Remove now obsolete playbooks.
Needed-By: https://review.opendev.org/682215
Change-Id: I3c227f4229a0572a532009f270d44059698f53e8
Add new promote jobs for promoting jobs that publish to the static site
and for promoting releasenotes.
Update projects.yaml for this change and remove jobs that are updated.
The existing promote file does not work for static site, create a new
one.
Needed-By: https://review.opendev.org/678430
Change-Id: I112745b70448cc3e6fec6e2932e4fe651f9174b0