Hi Cephers,
These are the minutes of today's meeting (quicker than usual since some CLT members were at Ceph Days NYC):
- [Yuri] Upcoming Releases:
- Pending PRs for Quincy
- Sepia Lab still absorbing the PR queue after the past issues
- [Ernesto] Github started sending dependabot alerts to devels (previously it was only sent to org admins)
- Most don't necessarily involve a risk (e.g.: _javascript_ dependency only exploitable in a back-end/node.js server)...
- ... but it might still cause some unnecessary concern among devs/users regarding Ceph security status
- Current list of vulnerable dependencies: https://github.com/ceph/ceph/security/dependabot
- 40% are Dashboard _javascript_ ones (most could be dismissed since only impact when used on node.js apps)
- Remaining ones are:
- Python: requirements.txt (not relevant since Python package versions change with every distro and we assume distro-maintainers will fix those)
- It might become more relevant when we start packaging Python deps (https://github.com/ceph/ceph/pull/47501/)
- Golang: "/examples/rgw" path (Casey opened https://tracker.ceph.com/issues/58828, but maybe we should just dismiss the alert?)
- [Ernesto] Enabling Github Auto-merge feature in the Ceph repo
- Use case:
- There's a PR with approvals but flaky CI tests (API, make check, ...) (example: https://github.com/ceph/ceph/pull/50201)
- We could retrigger tests and come back to the PR page multiple times until all tests pass...
- ... Or we just click the "Auto-merge" button, fill out the merge message as usual, and let Github merge it when the CI tests pass.
- It'd reduce cognitive load, especially with small PRs (docs, backport PRs) where the overhead of the PR process is more noticeable.
- There's still one issue:
- Keeping Redmine in sync with Github
- It could be done: when clicking the Auto-merge or still requiring reviewers to poll the PR until passed and then updating Redmine (not ideal)
- A Github action that update a tracker when Github merges the PR would be very useful
- Yuri/Ilya: discussion around backport requirement reverse order (needs-qa label vs. approvals vs. CI tests passing).
- Greg pointed out the risks of auto-merge merging PRs with patches submitted after passing requirements or approvals. Auto-merge status should be reset on new commits.
- Decision: not to enable it.
- Yuri suggested auto-labeling PRs with passing CI, so they better know when to start QA testing.
- Separate discussion on CI flakiness & stability and lack of clear points of contact (Kefu and David did that). For unit tests it's clear that affected teams should do that, but for infrastructure issues there's still a vacuum.
Kind Regards,
Ernesto
_______________________________________________ Dev mailing list -- dev@xxxxxxx To unsubscribe send an email to dev-leave@xxxxxxx
