The commit https://gerrit.wikimedia.org/r/#/c/185989/ has still not been merged to github (https://github.com/wikimedia/mediawiki-extensions-Comments/commits/master)
Description
Related Objects
Event Timeline
Judging by https://github.com/wmfgerrit?tab=activity it appears all replication to github is broken.
The heck?
[2015-01-20 21:39:51,100] ERROR com.googlesource.gerrit.plugins.replication.ReplicationQueue : Cannot replicate to git@github.com:wikimedia/mediawiki-extensions-Mantle org.eclipse.jgit.errors.TransportException: git@github.com:wikimedia/mediawiki-extensions-Mantle: push not permitted
Why can't wmfgerrit push to github? Repeat x1000 for like every repo we have on Github.
Is any effort being made to track or report this issue at GitHub? This not working hampers my development workflow, as I pull all of my repos from GitHub instead of from Gerrit, because it's (usually) much more reliable and faster.
Do manual pushes with the wmfgerrit account work? I.e.
git clone https://gerrit.wikimedia.org/r/pywikibot/core cd core git remote add github https://wmfgerrit@github.com/wikimedia/pywikibot-core git push github origin/master:master
the normal git client might report a more detailed error.
A few more things:
- one might want to check whether wmfgerrit actually has permissions to push to the repositories, via https://github.com/wikimedia/pywikibot-core/settings/collaboration
- new repositories are still being created: https://github.com/wikimedia -- but that might be using a different account?
Last, but not least: is this actively being worked on? It has been broken for over a week now, without any visible progress to a solution, even though this issue breaks many people's workflows.
In https://github.com/orgs/wikimedia/audit-log:
@Krinkle enabled third-party application access restrictions for the Wikimedia organization
https://help.github.com/articles/enabling-third-party-application-restrictions-for-your-organization/ says "Enabling third-party application restrictions will revoke organization access for all previously authorized applications and SSH keys. For more information, see "About third-party application restrictions.""
I disabled that and wmfgerrit is able to push now: https://github.com/wmfgerrit?tab=activity
I enabled this on purpose, knowing that any use of third-party applications would be automatically flagged. And Wikimedia GitHub admins can allow them from the dashboard without much friction or formal requests.
There was no flag or request in there of any kind. And besides, what third-party application workflow is Gerrit using? It has its own account (wmfgerrit) at GitHub, why would it delegating via OAuth to a separate third-party application that is not Gerrit?
Looks like either it's incorrectly triggering this restriction, or GitHub isn't exposing it.
https://help.github.com/articles/about-third-party-application-restrictions/ says:
- SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
- SSH keys created by applications during or after February 2014 immediately lose access to the organization's resources.
I'm guessing that's what it ran into?
I know this has been marked as resolved, but it seems that the github mirror hasn't been updated still for phabricator-extensions-Sprint as it doesn't have this change for example - https://gerrit.wikimedia.org/r/#/c/186222/
After +2'ing https://gerrit.wikimedia.org/r/#/c/186953/ , the repository was synced, so I presume syncs are triggered by merging a patch.
OAuth got enabled again via {T234991} which again broke replication T240322: Gerrit replication to GitHub is broken :]
"OAuth restrictions" were enabled, which, if I understand correctly, effectively disables "OAuth" as used by Gerrit. Is that right?