ECA being enforced for infrastructure-managed repositories

changed title from ECA being enforced for infrastructure managed repositories to ECA being enforced for infrastructure-managed repositories

Here is an example of how it fails: https://gitlab.eclipse.org/eclipse/oniro-core/docs/-/jobs/57506. We could use the identity of the CI owner if that would be acceptable, what do you think?

Maybe for now, a decent workaround would be to avoid ECA checks on this repository as we did for #1532 (closed). We are looking to restructure the documentation infrastructure in Oniro where we might drop this repository altogether.

mentioned in issue #1532 (closed)

Creating a GitLab bot user (e.g. oniro-bot@eclipse.org) for the Oniro project should be the right way forward here. It will pass ECA checks.

@fgurr So the ECA check is ignoring any pushes from an Eclipse GitLab bot user? @heurtemattes is that what you were proposing in the initial issue?

Totally, but not so sure now. I prefer the webdev team answer about ECA behavior.

added ECA IT-prioritylow IT-severitylow ~16083 statetodo team:releng labels

\cc @cguindon @malowe

The ECA will ignore bot accounts if they are defined in our API under the appropriate project: https://api.eclipse.org/bots

https://github.com/EclipseFdn/projects-bots-api/blob/master/src/main/jsonnet/extensions.jsonnet

@fgurr I believe you know how to add bots in this API?

//cc @malowe

Right. I was expecting something along those lines.

Well said, Chris. I brought up unmanaged bots when we did the impromptu audit a while back, but I guess that comment fell off the radar. These Gitlab bot users will no doubt fail the ECA, and that's by design. The bots API is how we make the downstream services aware of bots, as we want to manage these and not have a wild west of bots.

Great. How can we get one for Oniro?

Its up to the releng team to add it to the file that Chris mentioned. Making a helpdesk ticket is the right way to request this afaik, so I think we're good, just need to wait for the update to be made. Once made, it will take ~1h to become active (caching and such).

Awesome. I'll wait for that to be actioned.

@malowe Do we have any updates on this? It's a bit of a blocker for us and we need that pipeline working for an event we have soon.

Just to clarify: I was planning to create a new GitLab bot user for Oniro with the email-address oniro-bot@eclipse.org. I was not planning to add the existing Oniro Project CI <oniro-dev@eclipse.org> identity to our projects-bot-API. Does that work for you @agherzan? Any concerns @cguindon, @malowe?

You can create a new user for this but you still need to add the bot account to the bots API in order to inform our ECA validation service that we can accept contributions from this bot.

The ECA will check if we have an ECA on file if the bot account is not tracked.

I can adapt the pipeline to change to that as long as the ECA hook will be happy with it.

~~Now that I think about it, this is only about the SoB check against the ECA, right?~~

SoB?

Ignore that. I was confused for a second. I think that should work fine. Only the email address would be taken into consideration, right? We can use any "name" in git commits?

Correct, we will skip the validation if the author mail matches with the bot account listed under the oniro-core project in our API.

Clear now. I can align with that as soon as that is in place.

@cguindon @fgurr This is blocking us to land some documentation related to the Eclipse-OpenAtom cooperation agreement that is being announced next week. Can we please get an ETA on this?

I will create the GitLab bot user before EOB today.

@fgurr that would be greatly appreciated, thank you

mentioned in issue eclipse/oniro-core/oniro#711 (closed)

@oniro-core-bot has been created. It's email address is oniro-core-bot@eclipse.org. It has been added to the projects-bot-api. It's also a member of the oniro-core GitLab group (https://gitlab.eclipse.org/eclipse/oniro-core).

Hello @fgurr. Thanks for dealing with this. Here are some comments that made our life harder:

The actual email that ended up in the API is onirocore-bot@eclipse.org and not oniro-core-bot@eclipse.org (mind the hyphen).
We actually agreed above to having oniro-bot@eclipse.org. This has as an advantage the fact that we can reuse it on other Oniro projects without having to go through these loops again. For now, I have used the one in the API as this is currently blocking us but I'd ask you to reconsider this and create an extra one as agreed above.

The actual email that ended up in the API is onirocore-bot@eclipse.org and not oniro-core-bot@eclipse.org (mind the hyphen).

Good catch. This was set up incorrectly during project provisioning and has been fixed. The API uses the correct oniro-core-bot@eclipse.org email address now.

We actually agreed above to having oniro-bot@eclipse.org. This has as an advantage the fact that we can reuse it on other Oniro projects without having to go through these loops again. For now, I have used the one in the API as this is currently blocking us but I'd ask you to reconsider this and create an extra one as agreed above.

Sorry about the miscommunication. Each bot user is assigned to a single project and therefore uses the project's short name e.g. "oniro-core" for Oniro Core. Reuse of bot accounts across projects is (in general) not supported and recommended.