[sysadmin/repo-management] hooks: Implement two additional checks as part of our hooks:
Ben Cooksley
null at kde.org
Tue Mar 8 08:13:21 GMT 2022
Git commit 919f7163102835d46c81593251fd0689fea71640 by Ben Cooksley.
Committed on 08/03/2022 at 08:13.
Pushed by bcooksley into branch 'master'.
Implement two additional checks as part of our hooks:
1) Require that all *.knsrc file changes be reviewed by a Sysadmin if landing in a non-work branch
2) Alert Sysadmin if anyone mentions download.kde.org or files.kde.org in the text of their code.
CCMAIL: kde-frameworks-devel at kde.org
CCMAIL: plasma-devel at kde.org
M +14 -0 hooks/hooklib.py
M +16 -2 hooks/invent.pre-receive
https://invent.kde.org/sysadmin/repo-management/commit/919f7163102835d46c81593251fd0689fea71640
diff --git a/hooks/hooklib.py b/hooks/hooklib.py
index 062b0e3..df04d96 100644
--- a/hooks/hooklib.py
+++ b/hooks/hooklib.py
@@ -706,6 +706,10 @@ class CommitEmailNotifier:
if self.checker and (self.checker.license_problem or self.checker.commit_problem):
cc_addresses.append( self.commit.committer_email )
+ # Add Sysadmin if infrastructure problems have been found
+ if self.checker and self.checker.infra_problem):
+ cc_addresses.append( 'sysadmin at kde.org' )
+
if self.keywords['email_gui']:
cc_addresses.append( 'kde-doc-english at kde.org' )
@@ -1002,6 +1006,10 @@ class CommitChecker:
def commit_problem(self):
return self._commit_problem
+ @property
+ def infra_problem(self):
+ return self._infra_problem
+
@property
def commit_notes(self):
return self._commit_notes
@@ -1219,6 +1227,7 @@ class CommitChecker:
# Initialise
self._license_problem = False
+ self._infra_problem = False
self._commit_problem = False
self._commit_notes = defaultdict(list)
@@ -1261,6 +1270,11 @@ class CommitChecker:
self._commit_notes[filename].append(note)
self._commit_problem = True
+ # Check for references to KDE.org infrastructure which are being added without permission
+ if re.search(".*(download|files)\.kde\.org.*", line) and line.startswith("+"):
+ self._commit_notes[filename].append( "[INFRASTRUCTURE]" )
+ self._infra_problem = True
+
# Store the diff....
filediff.append(line)
diff --git a/hooks/invent.pre-receive b/hooks/invent.pre-receive
index 75dda6a..537d104 100755
--- a/hooks/invent.pre-receive
+++ b/hooks/invent.pre-receive
@@ -99,6 +99,9 @@ translation_file_rules = [
'^poqm/.*'
]
+# These users are authorised to review changes to *.knsrc files
+knsrc_reviewers = ['bcooksley', 'bshah', 'nalvarez']
+
# For these users we always skip notifications
notification_user_exceptions = ["scripty"]
@@ -355,8 +358,8 @@ for changeset in repository.changesets.values():
if not os.path.exists(repository_config + "/skip-author-email-checks"):
auditor.audit_emails_in_metadata( changeset, email_domains_blocked )
- # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository
- # Only specific users are allowed to change these as they are maintained by scripty
+ # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository
+ # Only specific users are allowed to change these as they are maintained by scripty
if not os.path.exists(repository_config + "/skip-translation-protections") and push_user not in translation_mirror_maintainers:
# Review each commit for changes to files...
for commit in changeset.commits.values():
@@ -368,6 +371,17 @@ for changeset in repository.changesets.values():
if re.match(restriction, filename):
auditor.log_failure(commit.sha1, "Translations maintained separately: " + filename)
+ # Depending on who we are, we may also need to check to see whether we are impacting on a KNSRC file
+ # Only specific users are allowed to change these as they can have substantial infrastructure implications
+ if not os.path.exists(repository_config + "/skip-knsrc-protections") and push_user not in knsrc_reviewers and changeset.ref_type is not RefType.WorkBranch:
+ # Review each commit for changes to files...
+ for commit in changeset.commits.values():
+ # Now check each file that was changed in that commit...
+ for filename in commit.files_changed:
+ # Did we change a KNSRC file?
+ if re.match(".*knsrc.*", filename):
+ auditor.log_failure(commit.sha1, "KNewStuff configuration must be Sysadmin reviewed: " + filename)
+
# Did we have any commit audit failures?
if auditor.audit_failed:
print("Push declined - commits failed audit")
More information about the Plasma-devel
mailing list