This task covers the long-term solution for T304557 laid out in T304557#7834670. From that comment:
Introduce a service user in Gerrit which is intended to be used to push wikiversions.json changes that are made during train deployments. Maybe we could reuse the account used by the train branch bot.
Generate a ssh key pair which is hold in Puppet/SRE repository holding secrets.
Load that key into the deployment server keyholder
Change scap to git push for review as the train branch bot user. It will need the Gerrit permission Forge Author Identity since the commit author is ourselves rather than the train bot. The git push command in scap/deploy_promote.py could use the pushInsteadOf git configuration trick:
gitcmd( '-c', 'url."ssh://<SHELL USERNAME>@gerrit.wikimedia.org:29418".pushInsteadOf=https://gerrit.wikimedia.org/r' push )
Or alternatively when scap prep clones operations/mediawiki-config we could set the push url:
self._clone_or_update_repo(os.path.join(SOURCE_URL, "operations/mediawiki-config"),
self.config["operations_mediawiki_config_branch"],
self.config["stage_dir"],
logger,
)
+ gitcmd("remote", "set-url", "--push", "origin", "ssh://gerrit.wikimedia.org/r/operations/mediawiki-config)
Which has the advantage that if one has to push from their terminal, the push url is correct. That is typically the case when doing a rollback since we do:
git revert HEAD scap <whatever> git push origin HEAD:refs/for/master
- Agree on which user to use
- Create ssh key for user if doesn't exist
- Add key to production keyholder accessible by the deployers group
- Ensure user can push other's patches