Page MenuHomePhabricator

Gerrit workflow: "Merge review" AND "Open push" for BlueSpice?
Closed, ResolvedPublic

Description

At BlueSpice, we build the distribution package from REL1_31 (LTS) branch. We have developed a new release in a custom branch called REL1_31_dev. Now, after we released, we'd like to merge all REL1_31_dev into REL1_31 and keep the commit history. A workflow could look like

git checkout -b REL1_31_dev origin/REL1_31_dev
git checkout -b REL1_31 origin/REL1_31
git merge -X theirs REL1_31_dev
git clean -fdx
git add -A
git commit -m "Merge branch REL1_31_dev"

This will result in dozens or hundreds of commits to be pushed to origin. We have enabled "Merge review" for our repositories, so git push results in

! [remote rejected] REL1_31 -> REL1_31 (prohibited by Gerrit: ref update access denied)

Of course we do not want to create new reviews on gerrit for all these commits.

  • Can you give us advice on how to deal with this?
  • Would it be possible to enable "Merge review" AND "Open push" at the same time?
  • Would it be possible to limit "Open push" to a certain user account?

Any advice is much appreciated!

Event Timeline

Osnard created this task.Sep 30 2019, 2:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2019, 2:49 PM
Mainframe98 moved this task from Bugs & stuff to Discussions & doc stuff on the Gerrit board.

Does it give any clearer error?

I would think it wants you to add "Forge Author Identity" to the project's ACL.

Osnard updated the task description. (Show Details)Oct 1 2019, 6:01 AM
Osnard added a comment.Oct 1 2019, 6:06 AM

I detail it says

remote: Branch refs/heads/REL1_31:
remote: You are not allowed to perform this operation.
remote: To push into this reference you need 'Push' rights.
remote: User: rvogel
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://rvogel@gerrit.wikimedia.org:29418/mediawiki/extensions/BlueSpiceSignHere
 ! [remote rejected] REL1_31 -> REL1_31 (prohibited by Gerrit: ref update access denied)

So it's probably the Push permission that is missing.

Osnard added a comment.EditedOct 1 2019, 6:14 AM

Okay, I just set the Push permission to group bluespice on https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/BlueSpiceSignHere,access and now it works. Thank you very much.

Can I create a dedicated group bluespice-admin for this usecase? Because I actually don't want all members of bluespice to be able to push without review. Member of bluespice-admin would be users mglaser, rvogel and bluespicebot.

Is there an easy way to set the Push permission on all BlueSpice-prefixed repos?

hashar added a subscriber: hashar.Oct 1 2019, 6:57 AM

This will result in dozens or hundreds of commits to be pushed to origin. We have enabled "Merge review" for our repositories, so git push results in

Do not push? You can send for review the merge commit and one can then Code-Review +2 :]

Osnard added a comment.Oct 1 2019, 7:05 AM

Yes, I actually want to push instead of review, as I just want to synchronize branches REL1_31 and REL1_31_dev. In REL1_31_dev everything has already been reviewed, so I don't want to review all those commits again when merging them into REL1_31. I believe the above workflow works just fine. The only issue is the Push permission. But there is a solution now.

So no easy way to create a bluespice-admin group and set Push permission for all BlueSpice* repos?

Osnard triaged this task as High priority.Oct 15 2019, 12:03 PM

@Paladox @hashar Sorry to bother you, but this is urgent to me. I need a bluespice-admin group with members Mglaser, Pwirth and Robert Vogel. Additionally I need all BlueSpice*-repos to allow Push to this group. What do I need to do? Can you please help me?

Mentioned in SAL (#wikimedia-releng) [2019-10-15T12:08:41Z] <paladox> create group “bluespice-admin” in gerrit per T234224

@Osnard hi! I’ve gone ahead and created “ bluespice-admin” I doint think I have the perms to touch the bluespice repos but you should be able to. All you need to do is use Gerrits ui, go to Access Control, click add new reference (if refs/* or refs/heads/* is not there) then choose the group and then scroll down the list to “Push” (it’s a drop down).

Osnard closed this task as Resolved.Oct 18 2019, 6:54 AM
Osnard claimed this task.

Thank you very much.

@Paladox: Also thanks from my side, for transparently explaining and documenting stuff in T234224#5574900! :)

hashar added a comment.Fri, Nov 8, 2:02 PM

Yes, I actually want to push instead of review, as I just want to synchronize branches REL1_31 and REL1_31_dev. In REL1_31_dev everything has already been reviewed, so I don't want to review all those commits again when merging them into REL1_31. I believe the above workflow works just fine. The only issue is the Push permission. But there is a solution now.

I am late. You should be able to synchronize the branches using a merge commit and send that for review. Since the changes in REL1_31-dev already have been merged, they are not going to be cause Gerrit to create a new change for each of the changes not in REL1_31. It would only create a change for the merge commit. Locally just merge the REL1_31-dev branch from Gerrit into REL1_31 and send that for review :]

Detailed example

Lets assume you gotta create two bug fixes, your local history would be:

* (REL1_31-dev) Bug fix #2
* Bug fix #1
* (REL1_31, origin/REL1_31, origin/REL1_31-dev) Tip of 1.31 branch

You send that for review, that generate two changes, one for each of the bug fixes. You then CR+2, get CI to merge them and locally fetch. Your local repository will then look like:

* (REL1_31-dev, origin/REL1_31-dev) Bug fix #2
* Bug fix #1
* (REL1_31, origin/REL1_31, origin/REL1_31-dev) Tip of 1.31 branch

The two bugs are now in Gerrit RE1_31-dev branch. To sync the branch locally you would first need to ensure your REL1_31 and REL1_31-dev branches are matching Gerrit (git branch -vv should tell you, or look at git log --oneline --decorate --graph). Then:

$ git checkout REL1_31
$ git merge REL1_31-dev
<amend commit message>
$ git commit --amend  # to add a Change-Id: line to the commit message

Locally the repo will look like:

$ git log --graph --oneline --decorate REL1_31 REL1_31-dev
* (REL1_31) Merge REL1_31-dev into REL1_31
* \
|  * (REL1_31-dev, origin/REL1_31-dev) Bug fix #2
|  * Bug fix #1
| /
* (REL1_31, origin/REL1_31, origin/REL1_31-dev) Tip of 1.31 branch

If you send that for review (git push origin REL1_31:refs/for/REL1_31), only the merge commit create a new change. Gerrit detects that Bug fix #1 and Bug fix #2 have already been merged.

The change WILL trigger CI and you thus know that tests are all passing just fine. You can then +2 it and the REL1_31 branch will have been synced.

By using Push, you effectively bypass CI and might well introduce unsuspected failure when integrating REL1_31-dev branch (in theory).