Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • A aurweb
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 85
    • Issues 85
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 15
    • Merge requests 15
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch LinuxArch Linux
  • aurweb
  • Merge requests
  • !2

WIP: Add semi automatic deployments

  • Review changes

  • Download
  • Email patches
  • Plain diff
Closed Sven-Hendrik Haase requested to merge add-semi-automatic-deployments into pu Jul 25, 2020
  • Overview 11
  • Commits 36
  • Pipelines 6
  • Changes 35

The idea is to always deploy to dev if the pipeline succeeds and to offer the option to deploy to production manually if the master pipeline succeeds. I also suggest changing the branch names to be a bit more intuitive: develop would be the new integration branch which would automatically deploy to aur-dev.archlinux.org upon successful completion while master would be semi-automatic and the authorized developer would manually have to click deploy upon successful testing completion.

The "automatic" part would work like this:

  • The script part runs ssh deployme@aur.archlinux.org.
  • The runner would use a secret-injected private key id_rsa to make this connection to the deployme user on the other machine.
  • The other machine's deployme user would have the corresponding public key in a command-limited entry in its .ssh/authorized_keys file that would look like this: command="/path/to/aurweb/deploy/deployme.sh" <public key> GitLab automatic deployments aur.archlinux.org key.

Both branches would be protected so only a limited number of people can merge stuff to it. Additionally, the production environment would be protected and only a few hand-picked developers would even be able to deploy to it: https://docs.gitlab.com/ee/ci/environments/protected_environments.html

The command-restricted SSH keys ensure that even if somehow the private key would be exposed, all the attacker could do is keep deploying AUR.

Edited Jul 26, 2020 by Sven-Hendrik Haase
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: add-semi-automatic-deployments