|
|
b4b5b5 |
# Git source control
|
|
|
dfd049 |
|
|
|
dfd049 |
We use various git hosting solutions for CentOS, depending on the need[s] :
|
|
|
dfd049 |
|
|
|
dfd049 |
* [Pagure](https://pagure.io/pagure) : self-hosted on [https://git.centos.org](https://git.centos.org)
|
|
|
dfd049 |
* Github : we have a [presence/Organization](https://github.com/centos) there for some automation scripts for historical reasons, like all [ansible roles](https://github.com/centos?q=ansible-&type=&language=&sort=)
|
|
|
dfd049 |
* Gitlab : Recently Red Hat decided to start using Gitlab for [Stream 9 sources](https://gitlab.com/redhat/centos-stream) and beyond
|
|
|
dfd049 |
|
|
|
dfd049 |
Let's only focus on the first one, that infra team needs to manage/maintain and let's explain also what it's used for, and which specific permissions/delegations we have for Special Interest Groups.
|
|
|
dfd049 |
|
|
|
dfd049 |
# Git.centos.org
|
|
|
dfd049 |
The first thing to know is that it's all managed/deployed by Ansible [pagure role](https://github.com/CentOS/ansible-role-pagure)
|
|
|
dfd049 |
|
|
|
dfd049 |
Due to experience within the team, we decided to use MySQL DB instead of postgresql, and also to reuse existing roles for these other parts.
|
|
|
dfd049 |
|
|
|
dfd049 |
## Initial purposes
|
|
|
dfd049 |
|
|
|
dfd049 |
It's mainly used for :
|
|
|
dfd049 |
|
|
|
dfd049 |
* centos specific projects (like website, etc), all in the `/centos/` namespace
|
|
|
dfd049 |
* RPM packages sources from RHEL, pushed by Red Hat, and then built by the CentOS team, all landing in the `/rpms/` namespace
|
|
|
dfd049 |
|
|
|
dfd049 |
## Authentication
|
|
|
dfd049 |
|
|
|
dfd049 |
Our pagure instance is tied with our existing [Authentication service](/infra/authentication/) so one needs to first have a account there to interact with the pagure instance (except of course for Read-Only operations like cloning a repository, etc)
|
|
|
dfd049 |
|
|
|
dfd049 |
When a user is added in a SIG group , and logs in again, its membership will be reflected at the pagure/git.centos.org side.
|
|
|
dfd049 |
|
|
|
dfd049 |
Their ssh public key is imported into their account (normal for a git forge solution).
|
|
|
dfd049 |
|
|
|
dfd049 |
## Protected branches and ACLs
|
|
|
dfd049 |
|
|
|
dfd049 |
By default, *nobody* (except specific Red Hat privileged account) can push to `master` branch on *any* project under /rpms/ namespace, nor any other protected branches, like `c7`, `c8`, `c8s` and so one (based on regex).
|
|
|
dfd049 |
All these protected branched represent what Red Hat is pushing, and that should represent upstream RHEL Sources.
|
|
|
dfd049 |
|
|
|
dfd049 |
Apart from protected branches, member of SIGs can push *automatically* (the logic is checked automatically by [pagure-dist-git](https://pagure.io/pagure-dist-git) to some 'sub' branches.
|
|
|
dfd049 |
|
|
|
dfd049 |
Example : a member of the `sig-cloud` can automatically push to the `c8-sig-cloud-<whatever_if_I_want_to>` branch of any rpm in the `/rpms/` namespace, but *never* to the main `c8` branch (and repeat the logic by swapping distro release and sig group/name)
|
|
|
dfd049 |
|
|
|
dfd049 |
### Lookaside cache upload
|
|
|
dfd049 |
|
|
|
dfd049 |
People can also push to the [`lookaside cache`](https://git.centos.org/sources) the needed tarballs/archives that can be used to [rebuild/compose a src.rpm](https://wiki.centos.org/Sources) package before being submitted to the build system (to build and release rpm packages)
|
|
|
dfd049 |
|
|
|
dfd049 |
Same logic as above : specific priviledged Red Hat account can push all needed tarballs/archives to the lookaside cache in all directories.
|
|
|
dfd049 |
|
|
|
dfd049 |
A SIG member can push to specific branch that correspond to the logic described above for git : from our previous example, that means pushing to `c8-sig-cloud-<whatever_if_I_want_to>`
|