[GSoC] Progress Report

Zero King l2dy at macports.org
Mon Jun 5 01:41:49 UTC 2017


On Sun, Jun 04, 2017 at 11:13:54PM +0200, Rainer Müller wrote:
>As far as I understand it, the CI "bot" are just scripts to be executed
>on Travis CI, but the PR bot will be a daemon process running on our own
>infrastructure?

Yes, except that the CI bot is not just scripts.
The CI bot is written in Go to share code with the PR bot.

>> The design docs are available at https://github.com/l2dy/mpbot-design,
>> but the code is not functional yet so I'm not sharing it for now.
>
>Quoting from the linked document:
>
>| 1. List subports
>| 2. port lint test
>| 3. port -d install test
>| 4. Send data to CI bot
>                  ^^
>That is supposed to be PR bot, right?

Thanks, indeed.

>| The CI bot generates an ECDSA key pair on start and prints the public
>| key on Travis log. While testing ports, the bot attempts handshake
>| with the PR bot by signing the salt PR bot provided (TCP or HTTP?).
>| The PR bot would grab the public key from Travis logs and verify the
>| signature.
>
>This seems overly complex. In case the CI bot needs to communicate with
>the PR bot directly, shouldn't a simple password/access token passed in
>the environment [1] be secure enough for this? Or are we running into
>these restrictions [2]?

Yes, those restrictions apply. We can't have secrets in Travis's
environment for PRs.

>As I see it, the status of the PR on GitHub needs to be updated. Travis
>already has functionality to do so, what role does the PR bot play at
>that point? Couldn't it just pick up the notification from GitHub [3]?

Adding labels like "type:update" and notify maintainers. Foreign Tcl
code can't be safely executed on our infra. Pulling foreign git branches
consumes bandwidth and disk space. So the plan is to let Travis generate
needed data not available from GitHub API and these data be sent to and
sanitized by the PR bot.

>Rainer
>
>[1] https://docs.travis-ci.com/user/environment-variables/
>[2]
>https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
>[3]
>https://developer.github.com/v3/activity/events/types/#pullrequestreviewevent

-- 
Best regards,
Zero King

Don't trust the From address.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3612 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20170605/8b4244fe/attachment-0001.bin>


More information about the macports-dev mailing list