People with a "collaborator" level access on pagure should be allowed to create new updates in bodhi.
Ideally, they should only be allowed to create updates for the releases corresponding to the branches they have access to. In practice, I wonder if we shouldn't simplify it and let them create any update. In the current world, they would only be able to create update they built or someone else (who was allowed to bump the evr) built. With rpmautospec this would change as one could do a build without committing to the git repo. On the other hand, with stream branching the mapping from git branches to dist-tag/fedora releases gets potentially impossible to do.
Considering we have tracking of who does what, I prefer the simpler approach of considering (in bodhi) people with a contributor level access to have the same access as committers.
Metadata Update from @pingou: - Issue tagged with: dev
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: bodhi, medium-gain, medium-trouble
For classic RPM updates it should be not too hard to modify actual ACL verification mechanism to allow collaborators to push updates only on those branches they are allowed to commit. We already have a "bodhi release to pagure branch" mapping in Bodhi, but we would probably need to replicate how pagure reads the pattern for collaborators access. For modules, since there's no direct mapping between branches name and releases, this would be impossible, I think. Not sure about flatpaks and containers, I don't know very well how things work for those.
We could also change the Bodhi validation mechanism to use another approach. Currently, when submitting a build, Bodhi retrieves the list of admins and committers for the package from Pagure, then it checks for the update submitter username to be in those lists (or for the group of the submitter to be in one of the group list with commit access). A simpler approach, supposing there's an appropriate API in Pagure to do that, would be making Bodhi query Pagure if a username has the necessary rights on a package+branch, so that we rely on Pagure validation directly.
Ref https://github.com/fedora-infra/bodhi/pull/4181
Login to comment on this ticket.