Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/cmd/relui: support pre-building security releases #53799

Closed
heschi opened this issue Jul 11, 2022 · 11 comments
Closed

x/build/cmd/relui: support pre-building security releases #53799

heschi opened this issue Jul 11, 2022 · 11 comments
Assignees
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@heschi
Copy link
Contributor

heschi commented Jul 11, 2022

Today we build security releases after their fixes have been publicized and merged, which makes it hard to reliably hit preannounced dates. (For example, https://groups.google.com/g/golang-announce/c/vtbMjE04kPk)

Add support for building from the private repository the fixes are developed on so that we can have the binaries ready to go in advance of the release date.

@heschi heschi self-assigned this Jul 11, 2022
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Jul 11, 2022
@gopherbot gopherbot added this to the Unreleased milestone Jul 11, 2022
@heschi heschi added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 11, 2022
@gopherbot
Copy link

Change https://go.dev/cl/416878 mentions this issue: internal/relui: support pre-building security releases

@gopherbot
Copy link

Change https://go.dev/cl/417215 mentions this issue: cmd/relui,gerrit: use application default creds for Gerrit auth

@heschi heschi added this to In Progress in Go Release Team Jul 13, 2022
@dmitshur
Copy link
Contributor

CC @golang/release.

gopherbot pushed a commit to golang/build that referenced this issue Jul 13, 2022
Today we build security releases after their fixes have been publicized
and merged, which makes it hard to reliably hit preannounced dates.
(For example, https://groups.google.com/g/golang-announce/c/vtbMjE04kPk)

Support building from a ref on the internal security repository, which
relui now has permissions to read.

To prevent mistakes where the code in the internal repository is out of
sync with the code we eventually publish, before we start publishing the
release, we check that building a source archive from the release branch
yields the same result as the archive we're releasing.

For golang/go#53799.

Change-Id: I23ac49ff42773ff21c152d563e1955af5fc800d1
Reviewed-on: https://go-review.googlesource.com/c/build/+/416878
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit to golang/build that referenced this issue Jul 13, 2022
relui needs to use its service account to access the private security
repository, and while I'm at it it might as well use it for the public
repo too. Add support to the gerrit package and use it in relui.

I adapted this code from the Gerrit team's auth daemon:
https://gerrit.googlesource.com/gcompute-tools/+/refs/heads/master/git-cookie-authdaemon
There may be better ways to do it but this works on my machine.

For golang/go#53799.

Change-Id: Iec302f4e4e336c21258019b0c20898280e249380
Reviewed-on: https://go-review.googlesource.com/c/build/+/417215
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Auto-Submit: Heschi Kreinick <heschi@google.com>
@gopherbot
Copy link

Change https://go.dev/cl/417834 mentions this issue: internal/relui: fix bad workflow definition

@gopherbot
Copy link

Change https://go.dev/cl/417592 mentions this issue: cmd/relui: fix private Gerrit URL

@heschi
Copy link
Contributor Author

heschi commented Jul 15, 2022

The basic support exists as of the CLs above. Remaining work: add TryBots (at least the ones we consider secure) so that we are less likely to break secondary ports.

gopherbot pushed a commit to golang/build that referenced this issue Jul 15, 2022
I messed up the merge in CL 416878. Probably need some test coverage
here.

For golang/go#53799.

Change-Id: Iab82fcb7424c888e8340a3d5f942271773c2d6a1
Reviewed-on: https://go-review.googlesource.com/c/build/+/417834
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit to golang/build that referenced this issue Jul 15, 2022
Got the path wrong.

For golang/go#53799.

Change-Id: I576c2991d5297da11307cb033cb3ad3125986f8f
Reviewed-on: https://go-review.googlesource.com/c/build/+/417592
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/419415 mentions this issue: internal/relui: run "advisory" trybots

gopherbot pushed a commit to golang/build that referenced this issue Jul 26, 2022
We don't have the ability to run security fixes through the real TrybBts
before we commit them to the private repo. To avoid surprises like we
just had with the wasm tests, run secondary TryBots, but don't treat
them as release-blocking. If any fail, the coordinator will be asked to
approve the results.

For golang/go#53799.

Change-Id: Icad4ece6e32f47dc81f4a8d850f56cf488c7a030
Reviewed-on: https://go-review.googlesource.com/c/build/+/419415
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Auto-Submit: Heschi Kreinick <heschi@google.com>
@heschi
Copy link
Contributor Author

heschi commented Jul 26, 2022

This is done afaik.

@heschi heschi closed this as completed Jul 26, 2022
Go Release Team automation moved this from In Progress to Done Jul 26, 2022
@gopherbot
Copy link

Change https://go.dev/cl/419427 mentions this issue: internal/relui: fix dry-run build workflow

gopherbot pushed a commit to golang/build that referenced this issue Jul 27, 2022
The tryBotsApproved related steps were marked as unused in the dry-run
flow, so use them.

Updates golang/go#53799

Change-Id: Ifc231ed9a7a4e85954bc8d7ef1ed1d6b393807f6
Reviewed-on: https://go-review.googlesource.com/c/build/+/419427
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Auto-Submit: Jenny Rakoczy <jenny@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/420543 mentions this issue: internal/relui: mail DL CLs after release approved

gopherbot pushed a commit to golang/build that referenced this issue Aug 2, 2022
We put the DL CL early to avoid having to wait for proxy.golang.org, but
now that we're prebuilding, it doesn't make so much sense: either it
hangs around for days or we submit it way early. Move it to the rest of
the publishing steps.

For golang/go#53799.

Change-Id: I12df3019c8278d7c72fe8dc308e209ff3bf5c131
Reviewed-on: https://go-review.googlesource.com/c/build/+/420543
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Auto-Submit: Heschi Kreinick <heschi@google.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/426799 mentions this issue: internal/task: allow release blockers with approval

gopherbot pushed a commit to golang/build that referenced this issue Aug 31, 2022
For security releases we expect there to be release blockers that will
be resolved only after the release is published. Allow the coordinator
to approve that situation.

For golang/go#53799.

Change-Id: I94cd4c0b3c7b3af22557ca19be19ac923add9b86
Reviewed-on: https://go-review.googlesource.com/c/build/+/426799
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@golang golang locked and limited conversation to collaborators Aug 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
Archived in project
Development

No branches or pull requests

3 participants