Hi Cephers,
These are the minutes of today's meeting (quicker than usual since some CLT members were at Ceph Days NYC):
- [Yuri] Upcoming Releases:
- Sepia Lab still absorbing the PR queue after the past issues
- [Ernesto] Github started sending dependabot alerts to devels (previously it was only sent to org admins)
- Most don't necessarily involve a risk (e.g.: Javascript dependency only exploitable in a back-end/node.js server)...
- ... but it might still cause some unnecessary concern among devs/users regarding Ceph security status
- 40% are Dashboard Javascript ones (most could be dismissed since only impact when used on node.js apps)
- Python: requirements.txt (not relevant since Python package versions change with every distro and we assume distro-maintainers will fix those)
- [Ernesto] Enabling Github Auto-merge feature in the Ceph repo
- We could retrigger tests and come back to the PR page multiple times until all tests pass...
- ... Or we just click the "Auto-merge" button, fill out the merge message as usual, and let Github merge it when the CI tests pass.
- It'd reduce cognitive load, especially with small PRs (docs, backport PRs) where the overhead of the PR process is more noticeable.
- Keeping Redmine in sync with Github
- It could be done: when clicking the Auto-merge or still requiring reviewers to poll the PR until passed and then updating Redmine (not ideal)
- A Github action that update a tracker when Github merges the PR would be very useful
- Yuri/Ilya: discussion around backport requirement reverse order (needs-qa label vs. approvals vs. CI tests passing).
- Greg pointed out the risks of auto-merge merging PRs with patches submitted after passing requirements or approvals. Auto-merge status should be reset on new commits.
- Decision: not to enable it.
- Yuri suggested auto-labeling PRs with passing CI, so they better know when to start QA testing.
- Separate discussion on CI flakiness & stability and lack of clear points of contact (Kefu and David did that). For unit tests it's clear that affected teams should do that, but for infrastructure issues there's still a vacuum.