Infrastructure
  1. Infrastructure
  2. INFRA-4726

CouchDB Github mirror does not allow ASF committers with github accounts to do pull request merges etc

    Details

    • Type: Task Task
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Fix Version/s: Initial Clearing
    • Component/s: Git
    • Labels:
      None
    • Environment:
      Apache CouchDB github mirror repo

      Description

      The following CouchDB committers should also be able to merge directly in github from pull requests. It appears not to be functioning at the moment.

      By apache id & corresponding github ids, taken from http://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=blob_plain;f=AUTHORS

      jan@apache.org janl
      nslater@apache.org nslater
      cmlenz@apache.org mclenz
      jchris@apache.org jchris
      davisp@apache.org davisp
      kocolosk@apache.org kocolosk
      benoitc@apache.org benoitc
      fdmanana@apache.org fdmanana
      rnewson@apache.org rnewson
      randall@apache.org tilgovi
      dch@apache.org dch
      jhs@apache.org jhs
      bitdiddle@apache.org bdionne
      jasondavies@apache.org jasondavies
      mhammond@apache.org mhammond

        Activity

        Hide
        #asfinfra IRC Bot added a comment -
        <danielsh> dup of INFRA-4152
        Show
        #asfinfra IRC Bot added a comment - <danielsh> dup of INFRA-4152
        Hide
        Robert Newson added a comment -
        How about the inverse case where a Pull Request is opened that we do not intend to ever merge? I'd like to be able to close them with a comment rather than leave them open forever.
        Show
        Robert Newson added a comment - How about the inverse case where a Pull Request is opened that we do not intend to ever merge? I'd like to be able to close them with a comment rather than leave them open forever.
        Hide
        Jan Lehnardt added a comment -
        Thanks Jukka, feeling a little stupid now.

        What's left then is to see if we can hook up a script that allows committers to run this from a bookmarklet.
        Show
        Jan Lehnardt added a comment - Thanks Jukka, feeling a little stupid now. What's left then is to see if we can hook up a script that allows committers to run this from a bookmarklet.
        Hide
        Jukka Zitting added a comment -
        See also INFRA-4152 for an earlier issue and related discussion about how we could allow Apache committers close pull requests on GitHub.
        Show
        Jukka Zitting added a comment - See also INFRA-4152 for an earlier issue and related discussion about how we could allow Apache committers close pull requests on GitHub.
        Hide
        Dave Cottlehuber added a comment -
        @davisp after reading the github api docs yesterday & testing today,the PR is closed if the matching commit sha arrives from upstream ASF repo. Obviously if you modify the commit in any way (amend commit message, add THANKS entry, different branch etc) then it doesn't work.

        I think there will be a few areas where we'd still like to be able to update github directly as repo owners, for example, closing a PR that is not going to be committed, or closing one that has been committed with changes. Mapping ASF LDAP <-> github repo members would be great.

        @jukka - pushing commits to the canonical ASF git repo is a suitable solution for committers dealing with PRs, thanks for the URL tip in the email.
        Show
        Dave Cottlehuber added a comment - @davisp after reading the github api docs yesterday & testing today,the PR is closed if the matching commit sha arrives from upstream ASF repo. Obviously if you modify the commit in any way (amend commit message, add THANKS entry, different branch etc) then it doesn't work. I think there will be a few areas where we'd still like to be able to update github directly as repo owners, for example, closing a PR that is not going to be committed, or closing one that has been committed with changes. Mapping ASF LDAP <-> github repo members would be great. @jukka - pushing commits to the canonical ASF git repo is a suitable solution for committers dealing with PRs, thanks for the URL tip in the email.
        Hide
        Jukka Zitting added a comment -
        The pull request notifications we send to the relevant dev@ lists already contain instructions for doing this. The template is:

        > You can merge this pull request into a Git repository by running
        > $ git pull https://github.com/&lt;user&gt;/&lt;source> <target>

        Works fine for me.
        Show
        Jukka Zitting added a comment - The pull request notifications we send to the relevant dev@ lists already contain instructions for doing this. The template is: > You can merge this pull request into a Git repository by running > $ git pull https://github.com/&lt;user&gt;/&lt;source > <target> Works fine for me.
        Hide
        Paul Joseph Davis added a comment -
        It occurs to me that if we're trying to help committers merge PR's a simple approach would be to write a git subcommand that accepts a PR and does the merge automatically.

        Ie, something like:

            $ git merge-pr 12

        Would figure out what repo and commit sha is needed and then could do the fancy git commands required to make that happen.
        Show
        Paul Joseph Davis added a comment - It occurs to me that if we're trying to help committers merge PR's a simple approach would be to write a git subcommand that accepts a PR and does the merge automatically. Ie, something like:     $ git merge-pr 12 Would figure out what repo and commit sha is needed and then could do the fancy git commands required to make that happen.
        Hide
        Paul Joseph Davis added a comment -
        This ticket confuses me. Is the goal to be able to close PR requests or is it to actually make that merge button in the GH gui work? I'm currently reading it as a complicated way to accomplish the former but the title leads me to believe the latter.

        If the goal is to make the button work I'd say that's roughly impossible. There's talk of PGP signing commits but I'm not entirely certain how that'd work. I don't envision us ever automating pulling commits back from GH. While technically possible it seems like it'd add a significant amount of complexity when we can satisfy all of the requirements by requiring that people just push directly to ASF hardware.

        OTOH, if we just want to allow committers to close PR's then we should write a script that manages the organization teams/team repos based on LDAP which is easily achievable. The only thing I can see here is if we store the GH user accounts in LDAP or in a config file per-repo.
        Show
        Paul Joseph Davis added a comment - This ticket confuses me. Is the goal to be able to close PR requests or is it to actually make that merge button in the GH gui work? I'm currently reading it as a complicated way to accomplish the former but the title leads me to believe the latter. If the goal is to make the button work I'd say that's roughly impossible. There's talk of PGP signing commits but I'm not entirely certain how that'd work. I don't envision us ever automating pulling commits back from GH. While technically possible it seems like it'd add a significant amount of complexity when we can satisfy all of the requirements by requiring that people just push directly to ASF hardware. OTOH, if we just want to allow committers to close PR's then we should write a script that manages the organization teams/team repos based on LDAP which is easily achievable. The only thing I can see here is if we store the GH user accounts in LDAP or in a config file per-repo.
        Hide
        Jan Lehnardt added a comment -
        Daniel and I chatted this through on IRC, here's the summary:

        Prerequisites:

         - The ASF needs to ensure the identity of a committer without relying
           on external authn systems.

          - One way is to authn against ASF infra (i.e. pushing to an ASF repo)

          - Another way is to sign commits using PGP, then commits could happen
            anywhere, e.g. on GitHub or elsewhere, and can be pushed to the ASF
            git repos.

         - For the contributor, keep the interaction as close to the original
           GitHub experience.

         - For the committer, allow an easy way to "+1" a commit in an
           asf-authn'd way (see above).

         - For everybody, remove as many burdens as possible.

        The plan:

        1. It is possible to merge a set of commits using a 'single' command e.g.

           git fetch https://github.com/maghoff/couchdb.git +refs/heads/master && git cherry-pick FETCH_HEAD

           This is a cherry-pick stolen from Gerrit, but a similar command can
           be constructed for a merge commit.

           (TBD: Come up with the actual string that does the merge commit.)
         
        2. What we can do is provide a greasemonkey/dotjs/bookmarklet that a
           committer can run to get the particular command as a string to c&p
           into the local command line.

        3. The committer then pushes to the the ASF git repo, because we use a
           merge above, GitHub will pick up the merge when the GitHub mirror
           gets synced and closes the pull request.

        4. I.e. the extra burden is on the committer, but it is reduced to a
           click and a copy & paste & manual push, which I think is totally
           reasonable.

        5. The contributor doesn't see any difference to other projects.

        Bonus Feature:

        Now, if all that works as expected, we can move point 2. and 3. to a
        script (TBD) that runs on ASF infra and has a HTTP interface that is
        authn'd using the ASF LDAP backend (similar to s.apache.org) that
        performs these steps on the committer's behalf that we can than access
        via a bookmarklet, restoring the "single-click"-merge experience of
        GitHub while ensuring proper identity checks on the ASF side.

        Robert Newson and I will work on the TBDs (the git command and the
        script that can run on ASF infra).
        Show
        Jan Lehnardt added a comment - Daniel and I chatted this through on IRC, here's the summary: Prerequisites:  - The ASF needs to ensure the identity of a committer without relying    on external authn systems.   - One way is to authn against ASF infra (i.e. pushing to an ASF repo)   - Another way is to sign commits using PGP, then commits could happen     anywhere, e.g. on GitHub or elsewhere, and can be pushed to the ASF     git repos.  - For the contributor, keep the interaction as close to the original    GitHub experience.  - For the committer, allow an easy way to "+1" a commit in an    asf-authn'd way (see above).  - For everybody, remove as many burdens as possible. The plan: 1. It is possible to merge a set of commits using a 'single' command e.g.    git fetch https://github.com/maghoff/couchdb.git +refs/heads/master && git cherry-pick FETCH_HEAD    This is a cherry-pick stolen from Gerrit, but a similar command can    be constructed for a merge commit.    (TBD: Come up with the actual string that does the merge commit.)   2. What we can do is provide a greasemonkey/dotjs/bookmarklet that a    committer can run to get the particular command as a string to c&p    into the local command line. 3. The committer then pushes to the the ASF git repo, because we use a    merge above, GitHub will pick up the merge when the GitHub mirror    gets synced and closes the pull request. 4. I.e. the extra burden is on the committer, but it is reduced to a    click and a copy & paste & manual push, which I think is totally    reasonable. 5. The contributor doesn't see any difference to other projects. Bonus Feature: Now, if all that works as expected, we can move point 2. and 3. to a script (TBD) that runs on ASF infra and has a HTTP interface that is authn'd using the ASF LDAP backend (similar to s.apache.org) that performs these steps on the committer's behalf that we can than access via a bookmarklet, restoring the "single-click"-merge experience of GitHub while ensuring proper identity checks on the ASF side. Robert Newson and I will work on the TBDs (the git command and the script that can run on ASF infra).
        Hide
        Jan Lehnardt added a comment - - edited
        Interactions with GitHub use public key ssh auth, but I don't think there’s PGP/GPG integration. It'd be putting trust into the GitHub auth system, but I’m wondering if that’s not something we can consider?
        Show
        Jan Lehnardt added a comment - - edited Interactions with GitHub use public key ssh auth, but I don't think there’s PGP/GPG integration. It'd be putting trust into the GitHub auth system, but I’m wondering if that’s not something we can consider?
        Hide
        #asfinfra IRC Bot added a comment -
        <danielsh> s/to PGP-signed commits/to commits PGP-traceable to a +1 by an ICLA holder/
        Show
        #asfinfra IRC Bot added a comment - <danielsh> s/to PGP-signed commits/to commits PGP-traceable to a +1 by an ICLA holder/
        Hide
        #asfinfra IRC Bot added a comment -
        <danielsh> By policy we require pushes to be traceable back to a specific ICLA holder, so if someone implements 'pull from github' I believe it's going to have to be restricted to PGP-signed commits only.
        Show
        #asfinfra IRC Bot added a comment - <danielsh> By policy we require pushes to be traceable back to a specific ICLA holder, so if someone implements 'pull from github' I believe it's going to have to be restricted to PGP-signed commits only.

          People

          • Assignee:
            Unassigned
            Reporter:
            Dave Cottlehuber
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development