I can add a password to the jenkins credential store but need to have that communicated to me in a secure way. Should we create a private phabricator task or ....exchange pgp keys?

@mmodell If you send me an email with your public key (smalyshev@wikimedia) I think this should work. Thanks!

@Smalyshev: Ok that's set up in jenkins: https://integration.wikimedia.org/ci/credentials/store/system/domain/_/credential/WDQSGUIBuilder/

RelEng related things here done, the rest are in Ops bailiwick (mailing list and ldap).

We already have the user in LDAP (wdqsguibuilder) though for now it uses my email address. But I think we could try running it with this address, to ensure the procedure works?

In T189811#4150831, @Smalyshev wrote:

We already have the user in LDAP (wdqsguibuilder) though for now it uses my email address. But I think we could try running it with this address, to ensure the procedure works?

@Smalyshev Sure I don't see why not.

@mmodell We have https://gerrit.wikimedia.org/r/c/415769/ implementing the job. Needs review/+2.

Looks like something is wrong with the credentials: https://integration.wikimedia.org/ci/job/wikidata-query-gui-build/1/console

https://gerrit.wikimedia.org/r/#/c/415769/3/jjb/wikidata.yaml creates the job with:

- ssh-agent-credentials:
    users:
        - 'wdqsguibuilder'

The job XML reflects that value properly:

<buildWrappers>
  <com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper>
    <user>wdqsguibuilder</user>
  </com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper>
</buildWrappers></project>

But in the GUI it fails to find that credential id and default to another one. The credential store list one has:

I guess it is case sensitive.

The Jenkins Credential store has one for a username and password in LDAP. It should instead be a SSH user with a private key, then the job will be able to push the change for review to Gerrit over git/ssh.

So a key pair should be generated the public key added in Gerrit for the WDQSGUIBuilder. Then the private key added to the Jenkins credential store. I guess https://integration.wikimedia.org/ci/credentials/store/system/domain/_/credential/WDQSGUIBuilder/ can be deleted.

Ok I fixed the credentials (Added the private key and removed the ldap user/password) ... @Smalyshev you will need to add the coresponding public key to gerrit if you have not done so already. I re-ran the jenkins job and it failed with a seemingly unrelated error about missing grunt.

Change 429540 had a related patch set uploaded (by Smalyshev; owner: Smalyshev):
[integration/config@master] Replace email with private list wdqs-gui-build@lists.wikimedia.org

https://gerrit.wikimedia.org/r/429540

Done! I edited the LDAP user (uid=wdqsguibuilder) and changed the email address field to wdqs-gui-build@lists.wikimedia.org.

@Smalyshev ticket resolved?

	homeDirectory: /home/wdqsguibuilder
	mail: wdqs-gui-build@lists.wikimedia.org
	uid: wdqsguibuilder

There's also https://gerrit.wikimedia.org/r/c/429540/ though it probably would also work without it.

Ah, i see. +1ed, i will have to leave this for Hashar to merge though. Don't have +2 on that repo. Let's keep the ticket open until then.

ok I +2'd it. hashar is out this week.

Change 429540 merged by jenkins-bot:
[integration/config@master] Replace email with private list wdqs-gui-build@lists.wikimedia.org

https://gerrit.wikimedia.org/r/429540