| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).
To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.
This guards against:
* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret
Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
|
|
Change-Id: I14043c2bd9da43a6b7de65baf0ebb75eaf3c4e22
|
|
Change-Id: Idf13f7737dd51e74e87093e07cdf22ad24407944
|
|
The l= is part of the command, not of the shape of commands, and the
previous command concatenation logic was wrong because of that.
Fix is done in the most obvious way: Make the l= part of the command.
Change-Id: Ia3c08c3da60fe5fc38f29a2d94adcd123e4f3052
|
|
... okay, this is like the 5th error related to something with this
and file paths. Need to write some validation logic.
Change-Id: I4314818aa1bc25b8cf7bd3593850d3836ccb867c
|
|
Git only allows binary names prefixed with `git-credential-` if the
path to the helper is not absolute.
Why? Who knows.
Change-Id: I216b2a621f62a73f05e21def7ec8016b29ede892
|
|
Relates to b/161
Change-Id: I508e5a0eacab668f4bd39a2c888d894b96bed093
|
|
I *think* this is the final step for b/161
Change-Id: Ie7a2198a045f2f1866a245884ab0f5414e205327
|
|
... really would like some assertion helpers for this sort of stuff.
Change-Id: I32d1de18ebfbbdfa5128a8fbdad2efcc511f8514
|
|
Currently this functionality is provided by a shell script stored in
/etc/secrets (which has the password value hardcoded).
This needs to happen in a separate commit from the one that changes
the pipeline to avoid breaking it (it needs to be deployed first).
Change-Id: I680754c828ccefbacfcf0d5c813a4bc19493ba4c
|
|
... and also the public key, just to keep the distribution mechanism
the same.
Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
|
|
We already checked this in, but this commit adds the configuration for
making use of it.
There are two copies of besadii's JSON configuration with different
permissions.
Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.
Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
|
|
Change-Id: Id141758135c796881e91d20b950dae74c40d9ab3
|
|
This makes this function a true rubberstamp again, leading to
rubberstamped CLs automatically being merged after CI passes.
This is similar to the initial functionality we had last year, where
this directly submitted changes, but with the addition of the CI
checks.
Change-Id: I946b074b968eb18a64c4edb0043f7a4af28759b4
|
|
This almost makes for a sort of fire&forget button, except we don't
have a way to automatically pick reviewers yet :)
Change-Id: I6f446270f8aaf0409ccb6321bdbb5c349079cd19
|
|
... this option really is a pitfall! The list of programs is now the
same as in the upstream module, plus curl and jq.
Change-Id: I29edae4b2400a2724f62df9efa1dc184a8b0af5f
|
|
Same approach as in cl/4270.
Change-Id: I3a5a3533ab97513a4b9d8cacc26d013b58441f93
|
|
Change-Id: Id2012e3ec6db21ff724245095a99d36ff9d7ad71
|
|
The DynamicUser + Group configuration does not work as planned, thus
the systemd LoadCredentials feature is used instead which makes the
file (which itself is only readable by root) available in a
memory-backed location only readable by the service.
The secret is only available to `ExecStart` commands, so units using
this feature can not be used with pre/post units and the like if those
commands need secrets.
To accommodate this, the merge of configuration files has been moved
into the service launch script, which is now the ExecStart= process.
For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH
Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
|
|
It turns out the lib.mkAfter call doesn't behave as expected -
only *some* of the packages that are defaulted end up in the $PATH.
I suspect this is actually something else, e.g. these packages are
always added for some reason or another, and the option is completely
overridden every time.
Change-Id: I854c7198520d82b00e6338ed0fe653836226dc6d
|
|
Change-Id: I66df150ab5070a81a92f0741334639df9df1f86f
|
|
Just a regular password rotation, plus I wasn't using argon2 unlike
everyone else.
Change-Id: Ic57fe79a2dbfdc15397d20f6b2b47c6aac911d29
|
|
Change-Id: I8063ae804932e3815e9a499e0206806818b9b021
|
|
In autosubmit cases that require rebases, the change *uploader* might
be clbot which would cause besadii to use clbot as the owner.
This is incorrect, but luckily the change-merged event has an actual
owner field instead.
Change-Id: Ia35b52085f94628e61eb358807b3b85565521b60
|
|
Turns out that the type of this option is not concatenative and it
replaces the packages needed to run Buildkite if set.
Change-Id: I9f52572bc165bccdd8c6518cfdf7b8967f7a50d0
|
|
The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.
I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.
Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
|
|
Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
|
|
Unnecessary dependency & complexity.
(Patch originally contributed by an anonymous contributor)
Change-Id: Id49dc362cb0c1b29937404447bb0b1f9794dc117
|
|
(Patch contributed by an anonymous contributor)
Change-Id: I29fd7dd008d4e509ea074a38d3948946b26da7ab
|
|
No longer required on whitby.
Change-Id: I93951c6b708eae81ddb03df920a4068c1ccde9e7
|
|
Detects autosubmitted CLs (other people's CLs submitted by clbot) and
modifies the text submitted to IRC accordingly.
If a CL is autosubmitted, we opt to highlight its author rather than
invoking noping.
Change-Id: Ibc21b7eeb2f0f2087097404baef6976384d68b09
|
|
This step would get inserted at the wrong point in the build pipeline
otherwise, causing a dependency cycle and causing the pipeline to fail.
Change-Id: I534568eec77f74ae6c47276820f8a9e99493a3ea
|
|
This simplifies the fallback logic used in case of Nix evaluation
failure and makes it so that the evaluation step itself is the one
that is marked as failed in Buildkite.
This is possible because the pipeline upload command will insert new
steps at the point where it runs in the pipeline, and not later.
Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
|
|
Relates to b/161
Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
|
|
Relates to b/161
Change-Id: I25445281b0dd3c3f3660f8bb0d8337506a1e427b
|
|
Relates to b/161
Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
|
|
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.
Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
|
|
This is not yet including the secret configuration for gerrit-queue,
and just expects the secret (gerrit username & password) to be
available in /etc/secrets.
Change-Id: Ia465ef7f3f521c70d606d7fdeba9aa83c7e1b98b
|
|
This is required for a simplification of the build pipeline (following
CL) and needs to be in a separate commit as it can not be done
atomically (merging the other commit to deploy it would immediately
break pipelines otherwise).
Change-Id: I5d8ec8f3238f79b5518d799486bf98d1d9516c43
|
|
Imported from github/tvlfyi/gerrit-queue, originally from
github/tweag/gerrit-queue but that upstream is unmaintained.
git-subtree-dir: third_party/gerrit-queue
git-subtree-mainline: ff10b7ab8303d050a8d7d751611da88bc13a75b4
git-subtree-split: 24f5a642af3aa1627bbff977f0a101907a02c69f
Change-Id: I307cc38185ab9e25eb102c95096298a150ae13a2
|
|
The upstream isn't really maintained anymore, so we may as well take
it over since we're patching it anyways.
Change-Id: I7dddc03ab90b00611520a77a26e73a5be1c2cfb8
|
|
... instead of a hashtag in Gerrit.
Might be easier to review here:
https://github.com/tvlfyi/gerrit-queue/commit/24f5a642af3aa1627bbff977f0a101907a02c69f
Change-Id: I1ae8d4607f7cb858135f88411c82e1a353b28105
|
|
This is a Gerrit autosubmit bot (actually written by flokli) which we
intend to use.
For now we're using the plain upstream version, but we'll want to
patch some of the behaviours of it so there's a vendoring on the
horizon.
Change-Id: I021d41b55f9f678435d9aec6d359545577cb9ec0
|
|
This moves to using a Gerrit label ('Autosubmit') with boolean values
for determining whether a developer wants to have a change
automatically submitted.
See also https://cl.tvl.fyi/c/depot/+/4172
|
|
Change-Id: I44998510ff4be2fa137ea4c81f888e63ea438a56
|
|
Change-Id: I17b1362502952d96b8787ad3c055d66f212fd60b
|
|
Add a stop at the `flavor` argument, since some async tests can use the
default config.
Change-Id: Iffd726b304d0d9dd94938bf23b2688715d1f4e20
|
|
Bound to `A g`, this behaves similarly to `magit-gerrit-checkout` - it
prompts for a CL number, then cherry-picks the latest patchset of that
CL number
Change-Id: Ieef970b99d96170e8c960cc7687ead9022948f8b
|
|
Change-Id: Ib5226a1ad0f084d3755cbfe40bf3556b3fa7fb2b
|
|
Change-Id: If1677024f9a211eee5d42a03413b5058dd797b9a
|
