Closed Bug 1599394 Opened 6 years ago Closed 5 years ago

Enable bors on mozilla/glean

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: janerik, Unassigned)

References

Details

I want to use the bors addon on mozilla/glean.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

mozilla/glean

** Are any of those repositories private?

No

** Provide link to vendor's description of permissions needed and why

(can't find that quickly, but the addon itself is already used for some other repositories)

** Provide the Install link for a GitHub app

https://github.com/apps/bors/installations/new

I have mixed feelings about bors.
I understand the value of the tool, there's no question is makes the github workflow better.
But it's effectively a bot that is operated completely outside of mozilla, by an organization (or an individual) we know nothing about, and that is granted write access to our repositories.
:hwine is looking at its security posture to better understand the risks, and my tinfoil-hat advice is to avoid it until we know more.

I understand those hesitations.
We could host it ourselves (I know, I know, someone would then need to maintain that).
So far 2 high-stakes repositories (fenix and android-components) are using it.

Glean can currently operate without it (though we do block simplifying our CI a bit on this).

Normandy uses it as well, so that makes 3. And we refused to use it on other projects, like Sops. There's definitely a demand for it.

See Also: → 1601752

Glean's CI is growing, plus we're in the process of also integrating TaskCluster support.
bors would help with our workflow and also allow us to run more expensive tasks on merge only, instead of on all PRs.

:hwine, is there a way forward for us enabling the public bors-ng instance for our repository? Alternatively is there any progress on hosting a Mozilla-controlled instance?

Flags: needinfo?(hwine)

The public instance is not suitable for sensitive work. The internal instance is bug 1601752 -- any timing questions should go to the folks who own that bug.

Flags: needinfo?(hwine)

I don't see any further actions needed

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.