Hi Cephers,
These are the minutes of today's meeting (quicker than usual since some CLT
members were at Ceph Days NYC):
- *[Yuri] Upcoming Releases:*
- Pending PRs for Quincy
- Sepia Lab still absorbing the PR queue after the past issues
- [Ernesto] Github started sending dependabot alerts to devels
(previously it was only sent to org admins)
-
https://github.blog/2023-01-17-dependabot-alerts-are-now-visible-to-more-de…
- Most don't necessarily involve a risk (e.g.: Javascript dependency
only exploitable in a back-end/node.js server)...
- ... but it might still cause some unnecessary concern among devs/users
regarding Ceph security status
- Current list of vulnerable dependencies:
https://github.com/ceph/ceph/security/dependabot
- 40% are Dashboard Javascript ones (most could be dismissed since only
impact when used on node.js apps)
- Remaining ones are:
- Python: requirements.txt (not relevant since Python package versions
change with every distro and we assume distro-maintainers will fix those)
- It might become more relevant when we start packaging Python deps (
https://github.com/ceph/ceph/pull/47501/)
- Golang: "/examples/rgw" path (Casey opened
https://tracker.ceph.com/issues/58828, but maybe we should just dismiss
the alert?)
- [Ernesto] Enabling Github Auto-merge feature in the Ceph repo
-
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/i…
- Use case:
- There's a PR with approvals but flaky CI tests (API, make check, ...)
(example:
https://github.com/ceph/ceph/pull/50201)
- We could retrigger tests and come back to the PR page multiple times
until all tests pass...
- ... Or we just click the "Auto-merge" button, fill out the merge
message as usual, and let Github merge it when the CI tests pass.
- It'd reduce cognitive load, especially with small PRs (docs, backport
PRs) where the overhead of the PR process is more noticeable.
- There's still one issue:
- Keeping Redmine in sync with Github
- It could be done: when clicking the Auto-merge or still requiring
reviewers to poll the PR until passed and then updating Redmine (not ideal)
- A Github action that update a tracker when Github merges the PR would
be very useful
- Yuri/Ilya: discussion around backport requirement reverse order
(needs-qa label vs. approvals vs. CI tests passing).
- Greg pointed out the risks of auto-merge merging PRs with patches
submitted after passing requirements or approvals. Auto-merge status should
be reset on new commits.
- Decision: not to enable it.
- Yuri suggested auto-labeling PRs with passing CI, so they better know
when to start QA testing.
- Separate discussion on CI flakiness & stability and lack of clear
points of contact (Kefu and David did that). For unit tests it's clear that
affected teams should do that, but for infrastructure issues there's still
a vacuum.
Kind Regards,
Ernesto