releng

Clone
Source Code
GIT

#12416 fedpkg request-branch should be able to circumvent *Prevent creating new branches by git push* hook
Opened 8 months ago by churchyard. Modified 4 months ago

Open
Close issue as:
Can't Fix Duplicate Fixed Get back later Grooming Insufficient data Invalid It's all good taiga upstream Fixed with Explanation
  • Describe the issue

I have the Prevent creating new branches by git push hook activated in many of the packages I maintain. This prevents some from accidentally pushing feature branches to distgit instead of my fork.

When requesting new branches via fedpkg request-branch @releng-bot errors with:

Traceback (most recent call last):
  File "/code/toddlers/plugins/scm_request_processor.py", line 189, in process
    self.process_ticket(issue)
  File "/code/toddlers/plugins/scm_request_processor.py", line 301, in process_ticket
    self.create_new_branch(issue, issue_body)
  File "/code/toddlers/plugins/scm_request_processor.py", line 780, in create_new_branch
    self.dist_git.new_branch(
  File "/code/toddlers/utils/pagure.py", line 496, in new_branch
    raise PagureError(
toddlers.exceptions.pagure_error.PagureError: Couldn't create branch in project 'rpms/python-u-msgpack-python'

Request to 'https://src.fedoraproject.org/api/0/rpms/python-u-msgpack-python/git/branch':
{'branch': 'epel10', 'from_commit': 'bde80a2f71ca8f8d734a3dedcac875192e2a04ac'}

Response:
{'error': 'Remote hook declined the push: Creating a new reference/branch is not allowed in this project.', 'error_code': 'ENOCODE'}

Status code: 400

See e.g. https://pagure.io/releng/fedora-scm-requests/issue/69055 cc @tdawson

However, when new Fedora is branched, this is not an issue. That means releng has the means to create branches in distgit even when the Prevent creating new branches by git push hook is active.

Please, make fedpkg request-branch work even with the active hook. Thanks.

  • When do you need this? any time

  • When is this no longer needed or useful? when we ditch pagure

  • If we cannot complete your request, what is the impact? wasted time and effort by mostly EPEL packagers

Thank you

Metadata Update from @phsmoura:
- Issue tagged with: medium-gain, medium-trouble, ops
8 months ago

Came here from this bug, and just wanted to add some quick observations.

I suspect running scm_request_processor.py on the pkgs01 machine is probably not desirable, so the question becomes whether that hook is supposed to block API requests to create branches. My assumption from the name is that it would only block them from a literal git push, not from an API call.

I agree with the assumption that the hook should only block branch creating by git push.

It should also block API requests unless the API user is using an admin token (which can only be created by the pagure admin). Otherwise regular users can easily circumvent it.

The hook is designed to avoid accidental branch creation by pushing. Circumventing it by calling the API first is not a big deal IMHO.

Log in to comment on this ticket.

Metadata
None

medium-gain ops medium-trouble

None
None
None
None
None
None
Boards 1
Ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.