Pilot prow's branch protector on test-infra repo

[Erick Fejta]

Hello everyone,

I intend to pilot the branch protection bot on test-infra.

This bot will configure:

• Whether a branch is protected
• Which github contexts are required to pass before merging
• Which teams have emergency write access to the branch (beyond repo admins)

I would like to start out by enabling it on all kubernetes/test-infra branches. To get feedback.

Eventually the intent is to automatically protect the entire kubernetes org.

[Christoph Blecker]

The other repo that might be good to pilot on is k/community. There was questions as recently as today to "Is there a bot that will merge this? What's missing?"

--
You received this message because you are subscribed to the Google Groups "kubernetes-wg-contribex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-wg-contribex+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-wg-contribex@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-wg-contribex/CAMMDcuGJcCGLU2ctF6NSPjR_EF6BZPf5QVmWz5gTj4XAXg%2BGYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Erick Fejta]

Sure, once we dogfood it in test-infra I'll be eager for other volunteers :)

On Tue, Jan 9, 2018 at 3:45 PM Christoph Blecker <cble...@gmail.com> wrote:

The other repo that might be good to pilot on is k/community. There was questions as recently as today to "Is there a bot that will merge this? What's missing?"

On 9 January 2018 at 15:07, 'Erick Fejta' via kubernetes-wg-contribex <kubernetes-...@googlegroups.com> wrote:

Hello everyone,

I intend to pilot the branch protection bot on test-infra.

This bot will configure:

• Whether a branch is protected
• Which github contexts are required to pass before merging
• Which teams have emergency write access to the branch (beyond repo admins)

I would like to start out by enabling it on all kubernetes/test-infra branches. To get feedback.

Eventually the intent is to automatically protect the entire kubernetes org.

--
You received this message because you are subscribed to the Google Groups "kubernetes-wg-contribex" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-wg-con...@googlegroups.com.
To post to this group, send email to kubernetes-...@googlegroups.com.

[Erick Fejta]

Heads up that branchprotector will start protecting test-infra on Monday.

Once that goes well we'll turn it on for k/community.

Then we'll talk about turning this on for k/*

[Erick Fejta]

Update that we are now protect kubernetes/test-infra and all repos in the kubernetes-sig-testing org. Please provide feedback on the behavior of these repos (#testing-ops on slack, ideally) if you notice any problems.

Intend to expand to automatic protection to k/community later this week.

And then open up discussion about the following

1. Automatically protecting the k/k repo (already happening manually, should be a no op)
   
2. Asking any k/* repos to explicitly opt out of repo protection
3. Automatically opting all repos with prow and a submit queue into automatic branch protection (except those that opt-out)
   
4. Automatically opting all repos in the kubernetes org into automatic branch protection (except those that opt-out)
   
5. Requiring all repos that opt out of repo protection to either opt in or set a timeline for migrating the repo out of the kubernetes org.

Thanks!

[Erick Fejta]

PR is out to turn this on for the community branch: https://github.com/kubernetes/test-infra/pull/6539, technically a no op as this repo was historically protected by mungegithub.

Once this is in I'll send out a similar email to kubernetes-dev about k/k and then all repos.

[Erick Fejta]

Hello kubernetes contributors,

We have been piloting automated branch protection on the community and test-infra repos for the past couple months without issue.

We intend to eventually protect all repos in the kubernetes org in this fashion.

The next phase extends this protection to repos which meet all the following conditions:

• Are repos in the kubernetes org
• Configured prow/tide to automatically merge PRs
• Have no preexisting branch protection configuration

15 repos meet this criteria:

• kubernetes/cloud-provider-aws
• kubernetes/cloud-provider-azure
• kubernetes/cloud-provider-gcp
• kubernetes/cloud-provider-openstack
• kubernetes/cluster-registry
• kubernetes/features
• kubernetes/federation
• kubernetes/gengo
• kubernetes/heapster
• kubernetes/ingress-nginx
• kubernetes/kubernetes-template-project
• kubernetes/kube-state-metrics
• kubernetes/kube-deploy
• kubernetes/node-problem-detector
• kubernetes/steering

It will ensure that only repo administators can:

• Ignore failing presubmit tests and still click the merge button
• Force push to the repo, overwriting git history

It should otherwise have no impact on developer activity.

Please leave feedback/concerns/etc on this thread and/or kubernetes/test-infra#7443

Thanks!

[Christoph Blecker]

This is great, Erick. I support this change. Please leave at least 72 hours though for feedback :)

Cheers,

Christoph

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-testing" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-testing+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-testing@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-testing/CAMMDcuFb6eUT8UOcGfB8HDGDMW585ysBvd114k8Em2Vs%3DUKk7A%40mail.gmail.com.

[Erick Fejta]

Sure, we definitely want the publisher to be able to do its work.

I would not expect this to prevent the publisher from creating branches, but please let me know if it does and we can figure out how to fix things.

On Thu, Mar 29, 2018 at 1:37 AM Stefan Schimanski <st...@redhat.com> wrote:

Hi Erick,

I like to see the automatic branch protection moving forward.

Please be aware of the publisher-bot (k8s-publishing-bot github user) automatically creating branches in client-go, apimachinery, etc. when synchronizing. As far as I understand it will keep its permissions with these changes moving forward.

Best regards,

   Stefan

--
You received this message because you are subscribed to the Google Groups "kubernetes-wg-contribex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-wg-con...@googlegroups.com.
To post to this group, send email to kubernetes-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-wg-contribex/CAMMDcuFb6eUT8UOcGfB8HDGDMW585ysBvd114k8Em2Vs%3DUKk7A%40mail.gmail.com.

[Stefan Schimanski]

Hi Erick,

I like to see the automatic branch protection moving forward.

Please be aware of the publisher-bot (k8s-publishing-bot github user) automatically creating branches in client-go, apimachinery, etc. when synchronizing. As far as I understand it will keep its permissions with these changes moving forward.

Best regards,

   Stefan

On Wed, Mar 28, 2018 at 1:01 AM, 'Erick Fejta' via kubernetes-wg-contribex <kubernetes-...@googlegroups.com> wrote:

--

You received this message because you are subscribed to the Google Groups "kubernetes-wg-contribex" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-wg-contribex+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-wg-contribex@googlegroups.com.

[Erick Fejta]

Hello again!

We are in the process of automatically enabling branch protection for all repos in the kubernetes org.

We recently enabled protection on all repos that use prow/tide, and we will soon merge kubernetes/test-infra#7526 which will make all prow/tide repos automatically update the branch protection configuration unless in a blacklist.

The only impact should be limiting who can merge PRs that fail tests to repo administrators, and prevent rewriting git history on the repo.

kubernetes/* repo administrators not using prow/tide for CI: we will soon switch automated branch protection from a whitelist to a blacklist.

This means that all kubernetes repos will use branch protection unless explicitly opting out of the system in the near future. I will send out another notice with the PR that will enables this in the near future.

If you are happy enabling branch protection on your repo, no action is required.

If you want to temporarily blacklist a kubernetes repo from branch protection, please take one of the following actions:

• Ideally, send a PR to explicitly configure branch-protection in prow/config.yaml for the repo.
• Alternatively note what the repo needs to enable it here - https://github.com/kubernetes/test-infra/issues/7524 

Thanks!

[Erick Fejta]

We are in the process of automatically enabling branch protection for all repos in the kubernetes org.

At the end of May all repositories in the kubernetes org will enable branch protection by default.

Feel free to ignore this email if you:

• already defined branch protection policies for your repos
  
• merge PRs that pass unit tests
• avoid rewriting github history

Impact of protected branches: only administrators will be able to merge PRs that fail unit tests, and only administrators will be able to rewrite git history.

If this concerns you:

• Please send a PR to explicitly configure branch protection in prow/config.yaml for repos that need anyone to merge PRs that fail tests and/or anyone to rewrite git history.
• Send out this PR before the end of May

Thanks!