Skip to content

Trusted branch verification

David Diederich requested to merge trusted-branch-verification into master

This MR adds in some critical top-level rules and structure to the standard pipeline templates, which enables contributors to perform work and create merge requests without access to protected variables, while allowing the committers to use those protected variables to test the request in an integration test environment. The actual mechanics are devilishly complicated among a fairly small set of changes, so this is accompanied with a fair bit of documentation to explain what's going on.

Some of the core logic was written in javascript / bash, and packaged into a custom docker image hosted here on community. That initial code should be considered part of this merge request. Find it here: https://community.opengroup.org/osdu/platform/trusted-mr-container

To save you some clicks, here's the link to the documentation file: https://community.opengroup.org/osdu/platform/ci-cd-pipelines/-/blob/trusted-branch-verification/doc/trusted-mr.adoc

I am trying out the idea of having asciidoc included within this repository, and generating HTML documentation using GitLab Pages. I am interested in your feedback on this general idea, and better ways to structure / present the documentation, but I do not want to hold up this MR as a result. I am planning another merge request to expand the documentation to include the meat of the project, and will make it pretty then. However, having good content is in scope for this review, including:

  • Does the code actually perform what the documentation says?
  • Is the process a reasonable way to accomplish the stated goals?
  • Are the stated goals sensible and/or complete?

I would like to call out in particular the part about "trusted-" branches not creating any pipelines on their own. This is deviation from what we originally planned, and may require some branch renaming / extra steps in certain circumstances.

I added several individuals that I would like feedback from about this change, some technical-oriented and some process-oriented. I did not mark them all as required -- I know we are all quite busy -- but please give some time for all to have a chance to review it before merging. Thanks.

Edited by David Diederich

Merge request reports