Luca Boccassi writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> As far as I understand in the current proposal the trigger is a
> webhook running on Salsa after a push - have you considered instead
> having the trigger be a stage in the salsa-ci pipeline, that would run
> after the previous stages have completed successfully? IE, like we can
> do today with aptly or pages publishing, for example. What runs in the
> pipeline is still under the control of the individual repo
> maintainers, but the default would mean having this additional CI
> step, which I think is what Andreas is hinting at, but solve it on the
> other end of the pipeline - at the beginning, rather than at the end.I think would be possible in principle. It would certainly be nice to be able to say "please upload this but only if the Salsa CI passes". It is more complicated, though, than simply having the webhook run off CI jobs instead. A webhook is supposed just to be a trigger to look at something, not a definitive API call; conversely, the user ought not to make a signed tag requesting an unconditonal upload if what theyt really mean is "upload if CI passes". So to do this properly the t2u server should somehow separately verify that the CI has passed. I think this probably means having a CI job job which signs a "tests passed on this commit" tag using a key available to Salsa, and providing the t2u server with *both* signatures. (Since we don't want the t2u server making API calls to salsa!) I don't propose to implement this right away. Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
