Hi Cephers,

These are the minutes of today's meeting (quicker than usual since some CLT members were at Ceph Days NYC):

[Yuri] Upcoming Releases:

Pending PRs for Quincy

Sepia Lab still absorbing the PR queue after the past issues

[Ernesto] Github started sending dependabot alerts to devels (previously it was only sent to org admins)

https://github.blog/2023-01-17-dependabot-alerts-are-now-visible-to-more-developers/

Most don't necessarily involve a risk (e.g.: Javascript dependency only exploitable in a back-end/node.js server)...

... but it might still cause some unnecessary concern among devs/users regarding Ceph security status

Current list of vulnerable dependencies: https://github.com/ceph/ceph/security/dependabot

40% are Dashboard Javascript ones (most could be dismissed since only impact when used on node.js apps)

Remaining ones are:

Python: requirements.txt (not relevant since Python package versions change with every distro and we assume distro-maintainers will fix those)

It might become more relevant when we start packaging Python deps (https://github.com/ceph/ceph/pull/47501/)

Golang: "/examples/rgw" path (Casey opened https://tracker.ceph.com/issues/58828, but maybe we should just dismiss the alert?)

[Ernesto] Enabling Github Auto-merge feature in the Ceph repo

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request

Use case:

There's a PR with approvals but flaky CI tests (API, make check, ...) (example: https://github.com/ceph/ceph/pull/50201)

We could retrigger tests and come back to the PR page multiple times until all tests pass...

... Or we just click the "Auto-merge" button, fill out the merge message as usual, and let Github merge it when the CI tests pass.

It'd reduce cognitive load, especially with small PRs (docs, backport PRs) where the overhead of the PR process is more noticeable.

There's still one issue:

Keeping Redmine in sync with Github

It could be done: when clicking the Auto-merge or still requiring reviewers to poll the PR until passed and then updating Redmine (not ideal)

A Github action that update a tracker when Github merges the PR would be very useful

Yuri/Ilya: discussion around backport requirement reverse order (needs-qa label vs. approvals vs. CI tests passing).

Greg pointed out the risks of auto-merge merging PRs with patches submitted after passing requirements or approvals. Auto-merge status should be reset on new commits.
Decision: not to enable it.

Yuri suggested auto-labeling PRs with passing CI, so they better know when to start QA testing.

Separate discussion on CI flakiness & stability and lack of clear points of contact (Kefu and David did that). For unit tests it's clear that affected teams should do that, but for infrastructure issues there's still a vacuum.

Kind Regards,

Ernesto