Git commit 919f7163102835d46c81593251fd0689fea71640 by Ben Cooksley. Committed on 08/03/2022 at 08:13. Pushed by bcooksley into branch 'master'.
Implement two additional checks as part of our hooks: 1) Require that all *.knsrc file changes be reviewed by a Sysadmin if landing in a non-work branch 2) Alert Sysadmin if anyone mentions download.kde.org or files.kde.org in the text of their code. CCMAIL: kde-frameworks-de...@kde.org CCMAIL: plasma-devel@kde.org M +14 -0 hooks/hooklib.py M +16 -2 hooks/invent.pre-receive https://invent.kde.org/sysadmin/repo-management/commit/919f7163102835d46c81593251fd0689fea71640 diff --git a/hooks/hooklib.py b/hooks/hooklib.py index 062b0e3..df04d96 100644 --- a/hooks/hooklib.py +++ b/hooks/hooklib.py @@ -706,6 +706,10 @@ class CommitEmailNotifier: if self.checker and (self.checker.license_problem or self.checker.commit_problem): cc_addresses.append( self.commit.committer_email ) + # Add Sysadmin if infrastructure problems have been found + if self.checker and self.checker.infra_problem): + cc_addresses.append( 'sysad...@kde.org' ) + if self.keywords['email_gui']: cc_addresses.append( 'kde-doc-engl...@kde.org' ) @@ -1002,6 +1006,10 @@ class CommitChecker: def commit_problem(self): return self._commit_problem + @property + def infra_problem(self): + return self._infra_problem + @property def commit_notes(self): return self._commit_notes @@ -1219,6 +1227,7 @@ class CommitChecker: # Initialise self._license_problem = False + self._infra_problem = False self._commit_problem = False self._commit_notes = defaultdict(list) @@ -1261,6 +1270,11 @@ class CommitChecker: self._commit_notes[filename].append(note) self._commit_problem = True + # Check for references to KDE.org infrastructure which are being added without permission + if re.search(".*(download|files)\.kde\.org.*", line) and line.startswith("+"): + self._commit_notes[filename].append( "[INFRASTRUCTURE]" ) + self._infra_problem = True + # Store the diff.... filediff.append(line) diff --git a/hooks/invent.pre-receive b/hooks/invent.pre-receive index 75dda6a..537d104 100755 --- a/hooks/invent.pre-receive +++ b/hooks/invent.pre-receive @@ -99,6 +99,9 @@ translation_file_rules = [ '^poqm/.*' ] +# These users are authorised to review changes to *.knsrc files +knsrc_reviewers = ['bcooksley', 'bshah', 'nalvarez'] + # For these users we always skip notifications notification_user_exceptions = ["scripty"] @@ -355,8 +358,8 @@ for changeset in repository.changesets.values(): if not os.path.exists(repository_config + "/skip-author-email-checks"): auditor.audit_emails_in_metadata( changeset, email_domains_blocked ) - # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository - # Only specific users are allowed to change these as they are maintained by scripty + # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository + # Only specific users are allowed to change these as they are maintained by scripty if not os.path.exists(repository_config + "/skip-translation-protections") and push_user not in translation_mirror_maintainers: # Review each commit for changes to files... for commit in changeset.commits.values(): @@ -368,6 +371,17 @@ for changeset in repository.changesets.values(): if re.match(restriction, filename): auditor.log_failure(commit.sha1, "Translations maintained separately: " + filename) + # Depending on who we are, we may also need to check to see whether we are impacting on a KNSRC file + # Only specific users are allowed to change these as they can have substantial infrastructure implications + if not os.path.exists(repository_config + "/skip-knsrc-protections") and push_user not in knsrc_reviewers and changeset.ref_type is not RefType.WorkBranch: + # Review each commit for changes to files... + for commit in changeset.commits.values(): + # Now check each file that was changed in that commit... + for filename in commit.files_changed: + # Did we change a KNSRC file? + if re.match(".*knsrc.*", filename): + auditor.log_failure(commit.sha1, "KNewStuff configuration must be Sysadmin reviewed: " + filename) + # Did we have any commit audit failures? if auditor.audit_failed: print("Push declined - commits failed audit")
