#8174 Bot account request for koji.fedoraproject.org, pagure.io, and src.fedoraproject.org
Closed: Fixed 5 days ago by pingou. Opened a month ago by fbo.

Hi,

Related to the effort to provide optional Zuul CI service for Fedora distgit (https://fedoraproject.org/wiki/Zuul-based-ci, https://teams.fedoraproject.org/project/ci/epic/14) I would like to request bot accounts for the Zuul service we manage at https://softwarefactory-project.io/zuul.

List of requested bot accounts:

  • "zuul" on koji.fedoraproject.org: the user should have the same rights than a regular Fedora packager. It will perform scratch and regular builds only. I guess it should be part of the "packagers" group.

  • "zuul" on src.fedoraproject.org and on pagure.io. The Zuul service will use that user to act on git repositories like reporting CI flag, adding comment, merge PR, read webhook token. The user will need a user Token with the right "modify project" on both src.fedoraproject.io and pagure.io.

Let me know about this request,
Thanks in advance

Fabien Boucher


So, you can just do (most) of this yourself.

Make a zuul fas account. (Make sure to note in it's account information that it's a bot).

I (or any other sponsor if you have access to one) can sponsor it into the packager group.

For the src/pagure token, do you need just user token it could get itself? Or do you need a cross project/admin token?

Can we also make sure that nothing this is setting, other things are also setting? ie, are you in communication with the existing ci folks?

@pingou anything I forgot there?

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

a month ago

Hi Kevin, thanks for your prompt response.

So I moved forward and created the zuul account on FAS (I thought the creation of a bot account would have been different :) ).

Yes I've discussed (mainly with Aleksandra Fedorova) about the Zuul Jobs workflow we would like to provide to distgits. The POC on which me and my team have worked on has been shown during the last Flock.

I prefer, also, to wait for a formal approval from the other folks that are aware about it (@pingou, @bookwar, @dperpeet) before adding the zuul bot user to the packager group.

Regarding the token, as I have access to the pagure UI via the new zuul user I can manage the user token. The Zuul's Pagure driver (https://zuul-ci.org/docs/zuul/admin/drivers/pagure.html) just needs a user token (with "modify project" right). When the zuul user is added in the admin group of a Pagure's project then the driver will manage the project token by itself. So no need for a cross project/admin token.

The "modify project" token should be cross-project or one per project? (I assume the former, right?)

I'm having a doubt, do we need the zuul user to be in the packager group?
IIRC anyone can do builds, it's just that only the packager will be able to commit to dist-git via ssh (and zuul doesn't do any commits, just interacts with PRs).

It could be that we need zuul to be in the packager group because pagure will make it a requirement for the user to be added to projects on src.fp.o though.

Also, I understand the interaction on zuul with src.fp.o but I'm less clear on its interaction with pagure.io. Does it really need a cross-project "modify project" token there?

@pingou the "modify project" right I'm talking about is from the zuul's user token. When the zuul user is added in the admin group of any projects it will be authorized to access projects settings. So yes we can tell it is "cross-project" as long as the zuul user is added to the projects' admin group.

I was confused and re-read your answer in https://pagure.io/fedora-infrastructure/issue/8174#comment-595729 which actually contains the answer :)

So users/packagers will add zuul to their projects (as admin) and from there zuul will be able to get its token automatically :)

@pingou yes that's the workflow, zuul won't have the right on every projects, just those where users/packagers made the choice to add zuul in the admin group of their projects. So the service will be optionnal.

Regarding the packager group requirement, yes Zuul will only interact with the PRs and if the gating is activated for a project then Zuul should be able to merge PR (it uses the Pagure API). This zuul user will not own any projects but only be added as admin to other projects.

The zuul config is stored on pagure.io ( https://pagure.io/fedora-project-config/blob/master/f/zuul.d, ...) that's why we will need to interact with pagure.io as well. It will also serve to provide regular CI jobs for non distgit projects if needed.

ok, so whats left to do here?

Hi Kevin,

Here are the remaining tasks:

  • Add the zuul user in the packager group (zuul will perform scratch and regular build on koji)
  • extend the token expiration delay to 6 months or 1 year on pagure.io and src.f.o. Token name on both: sf-project-io-zuul

Metadata Update from @cverna:
- Issue tagged with: backlog

17 days ago

Hi,

Who should I contact to have the FAS zuul user in the packager group. For the moment I cannot add that user as owner of repository on src.f.o.

` This user must be in one of the following groups to be allowed to be added to this project: packager
```

Thanks in advance

I have added them to the packager group. You may need to logout and login to src.fedoraproject.org to pick it up (group memberships are synced on login).

I have extended the src.fedoraproject.org token for 6 months.

The pagure.io token tho, I see 5 of them. Can you tell me what the exact current expire of the one you want me to extend is?

Hi Kevin,

Awesome, I was able to add the zuul user as a project admin, so it works !
I confirm that the token for src.fedoraproject.org has been extended.
For the token on pagure.io, the token is " sf-project-io-zuul Active until 2019-11-19 "

Thanks !

I'm not seeing a token for the zuul user that expires on 2019-11-19 on pagure.io, they all seem to expire in December.

Yeah, me either. I just went ahead and extended them all... can you delete/revoke the other ones you aren't using?

Let us know if there's anything more you need here.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 days ago

That's curious it is a user API token and here is the screenshot from the UI for the zuul account on pagure.io
pagure.io-zuul-api-token.png

As you can see, there is one token with the expiry date of 2019-11-19

Metadata Update from @fbo:
- Issue status updated to: Open (was: Closed)

5 days ago

Ok, I'm seeing the token now using: pagure-admin admin-token list --user zuul --all.

It's not recognized as an admin token and thus the CLI refuses the extend it now, going to adjust this

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 days ago

Login to comment on this ticket.

Metadata
Attachments 1