please create staging-ffxbld account on hg.m.o

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations
--
critical
RESOLVED FIXED
10 years ago
3 years ago

People

(Reporter: bhearsum, Assigned: aravind)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Created attachment 338910 [details]
staging ffxbld public key

Originally I thought we could use the regular 'ffxbld' account to do staging runs of releases but as I ramped up to do that I realized that requires putting production keys on staging machines. This is bad because it increases the chance of accidentally pushing to a production repository or pushing something to stage.m.o.

Because of this, can we get a 'staging-ffxbld' account created? I've attached a public key for it...
(Reporter)

Updated

10 years ago
Blocks: 454205
(Reporter)

Updated

10 years ago
Severity: normal → critical
(Assignee)

Comment 1

10 years ago
So... sorry to be asking questions here, but do these staging accounts also need r/w access to production mercurial?  I was under the impression that all that would come through the ffxbld user.  Can you just use https for this stuff?
Assignee: server-ops → aravind
(Reporter)

Comment 2

10 years ago
Sorry:
This staging account should only have r/w access to its user directory. This account is for doing test runs of release where we set-up and teardown clones of mozilla-central and locales.

the existing 'ffxbld' account should have r/w access to the real repositories for doing things such as version bumps during releases.

Does that help?
(Assignee)

Comment 3

10 years ago
Okay, so this is a regular account with no access to mozilla-central, etc.  It will just have r/w access to hg.m.o/users/stage.

Oh, and can we make it a generic stage account (instead of stage-ffxbld), so other builds can use it as well?  Since it will not have r/w to any of the code repos, I don't mind making this a generic account.
(Reporter)

Comment 4

10 years ago
I'm not sure what you mean by a generic account. Certain Build VMs are the only ones with the private key so I'm not sure how generic it can be.
(In reply to comment #3)
> Oh, and can we make it a generic stage account (instead of stage-ffxbld), so
> other builds can use it as well?  Since it will not have r/w to any of the code
> repos, I don't mind making this a generic account.

Accounts with access to hg_mozilla stuff have access to code repos, including comm-central and tamarin-central, so that's not true. I'd prefer we not give r/w access to Hg to anything/anybody more than we have to.
(Assignee)

Comment 6

10 years ago
stage-ffxbld is the new uid, sorry I saw that you wanted staging-ffxbld after I had created everything.  I can change it if you want me to.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

10 years ago
no worries about the name - it's fine.
(Reporter)

Comment 8

10 years ago
Can we make stage-ffxbld repositories accessible via http?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 9

10 years ago
Done.
Status: REOPENED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.