CI system for PR builds

[Ryan Schmidt]

On Apr 7, 2018, at 00:47, Mojca Miklavec wrote:

> On 3 April 2018 at 21:45, db wrote:
>> On 3 Apr 2018, at 18:04, Mojca Miklavec wrote:
>>> Travis has lots of limitations, but it offers both (a) and (b) for free.
>> 
>> Couldn't (b) be the current infrastructure?
> 
> No, because that would make the infrastructure that distributes
> binaries to all our users susceptible to malicious PRs.

Obviously, we would need to program the PR build machines not to upload any binaries anywhere. Just as we've already configured Travis in that way.


> Except if we modify the current setup to stop a VM after each build in
> case there are no pending jobs, and fire a new clean VM to build the
> PRs in the meantime, with different build instructions and without any
> uploads.
> 
> I believe it would also be ok to have a second set of isolated
> builders whose images would only be reset once in a while. But that
> still calls for additional hardware.

We have a little capacity to add additional virtual machines to the Xserves currently running our buildbot setup. If additional capacity beyond that is required, we can talk about that. But just getting one or two VMs for PR builds up and running would not necessarily require additional hardware. It just requires creating software infrastructure.