We recently onboarded https://pagure.io/fedora-comps to Zuul-based CI, but for some bizarre reason, when testing a PR for fedora-comps - e.g. https://pagure.io/fedora-comps/pull-request/834 - Zuul is running the tasks from a completely different repository, https://pagure.io/workstation-ostree-config . If you look at the full logs of the Zuul job, you see:
2023-04-22 17:05:49.135151 | RUN START: [untrusted : pagure.io/workstation-ostree-config/ci/validate.yaml@main]
and then later:
2023-04-22 17:05:49.775376 | TASK [Install dependencies] ... 2023-04-22 17:06:37.315356 | TASK [Validate manifests and scripts syntax]
Those are the names of tasks from https://pagure.io/workstation-ostree-config/blob/main/f/ci/validate.yaml , not from https://pagure.io/fedora-comps/blob/main/f/ci/validate.yaml .
I've no idea why this is happening, except possibly it's some kind of bug triggered by the two repos happening to have exactly the same filenames for the CI-related stuff?
I think it does indeed follow the logic of loading all job configurations from projects in https://pagure.io/fedora-project-config/blob/master/f/resources/fedora-sources.yaml into the shared space, so the latest loaded job got applied
https://fedora.softwarefactory-project.io/zuul/job/validate
Some explanation is available in https://zuul-ci.org/docs/zuul/latest/tenants.html#attr-tenant.untrusted-projects.%3Cproject%3E.shadow
But this logic does not fit the setup when projects are managed completely independently and may define overlapping jobs.
@fabien2 this seems to be a security risk, as someone may override someone else's job from their repository.
Is there a parameter we are missing?
My expectation would be that local .zuul.yaml configuration should be applied only from the repository which code is being tested.
.zuul.yaml
Yes, Zuul jobs definitions discovered during the crawling of repos/branches from a given Zuul tenant are part of the tenant's jobs (https://softwarefactory-project.io/zuul/t/fedora/jobs). A job defined in the repo A can be used by the repo B. In a shared space like the Fedora Zuul tenant this needs to be advertised. Either consumers of the CI needs to ensure uniqueness for job (and others Zuul config items) names, or we decide that all or some configuration items are only allowed to be defined in specific repositories (see include/exclude https://zuul-ci.org/docs/zuul/latest/tenants.html#attr-tenant.untrusted-projects.%3Cproject%3E.include).
So I tried to fix this by renaming all the CI files, and now, uh, this happened:
<img alt="Screenshot_from_2023-04-24_09-16-14.png" src="/fedora-ci/general/issue/raw/files/cba47a7527c5ef09acc257d3b182f8f2b668158c129a074e54ff03f304a091c6-Screenshot_from_2023-04-24_09-16-14.png" />
See https://pagure.io/fedora-comps/pull-request/837#comment-187053
Log in to comment on this ticket.