Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opt-in resources request mechanism #767

Merged
merged 75 commits into from
Nov 13, 2023
Merged

Opt-in resources request mechanism #767

merged 75 commits into from
Nov 13, 2023

Conversation

jaimergp
Copy link
Member

@jaimergp jaimergp commented Jul 26, 2023
edited
Loading

WIP. See #767 (comment)

Closes #752.

@jaimergp jaimergp added the enhancement New feature or request label Jul 26, 2023
jaimergp and others added 21 commits July 26, 2023 17:19
jaimergp
jaimergp commented Aug 28, 2023
View reviewed changes
access_control.py Outdated Show resolved Hide resolved
jaimergp
jaimergp commented Aug 28, 2023
View reviewed changes
grant_access/example.txt Outdated Show resolved Hide resolved
@aktech
Copy link
Contributor

aktech commented Aug 28, 2023

This PR adds the ability to request grant/revoke access to an Opt-in ci resource (cirun in this case).

This depends on conda-forge/conda-smithy#1703, which adds this functionality in the conda-smithy CLI, See this conda-forge/conda-smithy#1703 (comment)

Requesting or Revoking CI Resources Access

For specific CI resources that are available on an opt-in basis, you can request access by submitting a PR with your feedstock name added to a relevant file under the grant_access/ directory. If you wish to revoke access, please make changes in the revoke_access/ directory.

List of opt-in resources:

  • GPU CI:
    • cirun-gpu-runner.txt: Grants access to the GPU runner on the main branch only.
    • cirun-gpu-runner-pr.txt: Provides GPU runner access for pull requests as well.

more of these will be added later, this is to get us started.

We're using txt files, for this via PR mechanism for the following reasons:

  • consistency with other mechanisms like broken/not-broken, archive/un-archive
  • dumb method for people to request/revoke access, with low possibility of errors/issues. We're eventually updating the .access.yml (to be created) file in the .cirun repo (example) eventually, this txt file method with concurrency one, also avoids creating conflicts in the .access.yml file.

@aktech aktech mentioned this pull request Aug 28, 2023
Merged
1 task
jaimergp
jaimergp commented Aug 31, 2023
View reviewed changes
environment.yml Outdated Show resolved Hide resolved
jaimergp
jaimergp commented Aug 31, 2023
View reviewed changes
access_control.py
import requests
from ruamel.yaml import YAML

GH_ORG = os.environ.get("GH_ORG", "conda-forge")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we are offering admin-requests outside conda-forge so we could hardcode this, but this doesn't hurt either 👌

jaimergp
jaimergp commented Aug 31, 2023
View reviewed changes
access_control.py Outdated

GH_ORG = os.environ.get("GH_ORG", "conda-forge")

CIRUN_FILENAME_RESOURCE_MAPPING = {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the configuration dictionary that maps {grant,revoke}_access/<name>.txt to an actual resource in ... .access_control.yml? Or where? Can you document the expected schema with a #: comment on top?

@isuruf
Copy link
Member

isuruf commented Nov 9, 2023

@jaimergp, @aktech, this is good to go right?

(We need conda-forge/conda-smithy#1793 to clean this PR a little bit and conda-forge/conda-smithy#1794 to handle the teams correctly, but it should be possible to test without them)

jaimergp
jaimergp commented Nov 9, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
@jaimergp
Copy link
Member Author

jaimergp commented Nov 9, 2023

this is good to go right?

I think so. There might be typos, mismatching identifiers, or simple errors that we will easily reveal once we try this live. The docs (as per comment above) seem to be outdated too, but I suggest we amend them once we know it's working.

One possible pain point is the maintenance of the access_control YAML here (for bookkeeping), because it might become a conflict source across PRs, so we need to ensure it's written in a consistent way (sort keys, etc). Again the kind of thing we will easily observe live.

@isuruf
Copy link
Member

isuruf commented Nov 10, 2023

I ran this on a different branch and fixed a bunch of failures.
Need conda-forge/conda-smithy#1799 and conda-forge/conda-smithy#1796

@isuruf
Copy link
Member

isuruf commented Nov 13, 2023

This is ready for a review now.

beckermr
beckermr approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@beckermr beckermr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@isuruf
Copy link
Member

isuruf commented Nov 13, 2023

Thanks for the review. I'll start some docs PRs.

@isuruf isuruf merged commit 8331a5a into conda-forge:main Nov 13, 2023
1 check passed
@jaimergp
Copy link
Member Author

Awesome! Thanks! Please ping me in the docs PR when needed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aktech aktech aktech left review comments

@isuruf isuruf isuruf left review comments

@beckermr beckermr beckermr approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adding access control to CI providers and other resources
4 participants
@jaimergp @aktech @isuruf @beckermr