x/build/cmd/relui: support pre-building security releases #53799
Assignees
Labels
Builders
x/build issues (builders, bots, dashboards)
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
Milestone
Comments
heschi
added
the
NeedsFix
|
Change https://go.dev/cl/416878 mentions this issue: |
|
Change https://go.dev/cl/417215 mentions this issue: |
|
CC @golang/release. |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 13, 2022
Today we build security releases after their fixes have been publicized and merged, which makes it hard to reliably hit preannounced dates. (For example, https://groups.google.com/g/golang-announce/c/vtbMjE04kPk) Support building from a ref on the internal security repository, which relui now has permissions to read. To prevent mistakes where the code in the internal repository is out of sync with the code we eventually publish, before we start publishing the release, we check that building a source archive from the release branch yields the same result as the archive we're releasing. For golang/go#53799. Change-Id: I23ac49ff42773ff21c152d563e1955af5fc800d1 Reviewed-on: https://go-review.googlesource.com/c/build/+/416878 Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 13, 2022
relui needs to use its service account to access the private security repository, and while I'm at it it might as well use it for the public repo too. Add support to the gerrit package and use it in relui. I adapted this code from the Gerrit team's auth daemon: https://gerrit.googlesource.com/gcompute-tools/+/refs/heads/master/git-cookie-authdaemon There may be better ways to do it but this works on my machine. For golang/go#53799. Change-Id: Iec302f4e4e336c21258019b0c20898280e249380 Reviewed-on: https://go-review.googlesource.com/c/build/+/417215 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]>
|
Change https://go.dev/cl/417834 mentions this issue: |
|
Change https://go.dev/cl/417592 mentions this issue: |
|
The basic support exists as of the CLs above. Remaining work: add TryBots (at least the ones we consider secure) so that we are less likely to break secondary ports. |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 15, 2022
I messed up the merge in CL 416878. Probably need some test coverage here. For golang/go#53799. Change-Id: Iab82fcb7424c888e8340a3d5f942271773c2d6a1 Reviewed-on: https://go-review.googlesource.com/c/build/+/417834 Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 15, 2022
Got the path wrong. For golang/go#53799. Change-Id: I576c2991d5297da11307cb033cb3ad3125986f8f Reviewed-on: https://go-review.googlesource.com/c/build/+/417592 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://go.dev/cl/419415 mentions this issue: |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 26, 2022
We don't have the ability to run security fixes through the real TrybBts before we commit them to the private repo. To avoid surprises like we just had with the wasm tests, run secondary TryBots, but don't treat them as release-blocking. If any fail, the coordinator will be asked to approve the results. For golang/go#53799. Change-Id: Icad4ece6e32f47dc81f4a8d850f56cf488c7a030 Reviewed-on: https://go-review.googlesource.com/c/build/+/419415 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]>
|
This is done afaik. |
|
Change https://go.dev/cl/419427 mentions this issue: |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Jul 27, 2022
The tryBotsApproved related steps were marked as unused in the dry-run flow, so use them. Updates golang/go#53799 Change-Id: Ifc231ed9a7a4e85954bc8d7ef1ed1d6b393807f6 Reviewed-on: https://go-review.googlesource.com/c/build/+/419427 Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Jenny Rakoczy <[email protected]> Auto-Submit: Jenny Rakoczy <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
|
Change https://go.dev/cl/420543 mentions this issue: |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Aug 2, 2022
We put the DL CL early to avoid having to wait for proxy.golang.org, but now that we're prebuilding, it doesn't make so much sense: either it hangs around for days or we submit it way early. Move it to the rest of the publishing steps. For golang/go#53799. Change-Id: I12df3019c8278d7c72fe8dc308e209ff3bf5c131 Reviewed-on: https://go-review.googlesource.com/c/build/+/420543 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> Reviewed-by: Jenny Rakoczy <[email protected]>
|
Change https://go.dev/cl/426799 mentions this issue: |
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Aug 31, 2022
For security releases we expect there to be release blockers that will be resolved only after the release is published. Allow the coordinator to approve that situation. For golang/go#53799. Change-Id: I94cd4c0b3c7b3af22557ca19be19ac923add9b86 Reviewed-on: https://go-review.googlesource.com/c/build/+/426799 Run-TryBot: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Today we build security releases after their fixes have been publicized and merged, which makes it hard to reliably hit preannounced dates. (For example, https://groups.google.com/g/golang-announce/c/vtbMjE04kPk)
Add support for building from the private repository the fixes are developed on so that we can have the binaries ready to go in advance of the release date.
The text was updated successfully, but these errors were encountered: