Page MenuHomePhabricator
Create Task
Maniphest T87248

Gerrit replication to Github stalled
Closed, ResolvedPublic
Actions

Description

The commit https://gerrit.wikimedia.org/r/#/c/185989/ has still not been merged to github (https://github.com/wikimedia/mediawiki-extensions-Comments/commits/master)

https://github.com/wmfgerrit?tab=activity

Related Objects

Event Timeline

UltrasonicNXT created this task.Jan 20 2015, 6:40 PM
UltrasonicNXT raised the priority of this task from to Needs Triage.
UltrasonicNXT updated the task description. (Show Details)
UltrasonicNXT added projects: Continuous-Integration-Infrastructure, MediaWiki-extensions-Comments.
UltrasonicNXT subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2015, 6:40 PM
UltrasonicNXT added subscribers: matmarex, MarkTraceur.Jan 20 2015, 6:40 PM
MarkTraceur set Security to None.Jan 20 2015, 7:56 PM
MarkTraceur added a subscriber: demon.
Legoktm edited projects, added Gerrit; removed Continuous-Integration-Infrastructure.Jan 20 2015, 8:32 PM
Legoktm subscribed.Jan 20 2015, 9:35 PM

Judging by https://github.com/wmfgerrit?tab=activity it appears all replication to github is broken.

Legoktm renamed this task from Merged commit not mirrored to Github to Gerrit replication to Github stalled.Jan 20 2015, 9:35 PM
Legoktm updated the task description. (Show Details)
demon added a comment.Jan 20 2015, 9:42 PM

The heck?

[2015-01-20 21:39:51,100] ERROR com.googlesource.gerrit.plugins.replication.ReplicationQueue : Cannot replicate to git@github.com:wikimedia/mediawiki-extensions-Mantle
org.eclipse.jgit.errors.TransportException: git@github.com:wikimedia/mediawiki-extensions-Mantle: push not permitted

Why can't wmfgerrit push to github? Repeat x1000 for like every repo we have on Github.

demon claimed this task.Jan 20 2015, 9:43 PM
demon triaged this task as Unbreak Now! priority.
greg subscribed.Jan 20 2015, 10:08 PM
Aklapper added a project: Social-Tools.Jan 21 2015, 2:35 AM
Legoktm removed projects: Social-Tools, MediaWiki-extensions-Comments.Jan 21 2015, 5:24 AM
fbstj mentioned this in T87311: No update at github.Jan 21 2015, 10:29 AM
jayvdb merged a task: T87311: No update at github.Jan 21 2015, 2:51 PM
jayvdb added subscribers: fbstj, hashar, siebrand and 3 others.
hashar unsubscribed.Jan 21 2015, 3:26 PM
Krenair subscribed.Jan 21 2015, 11:48 PM
adrianheine subscribed.Jan 22 2015, 11:39 AM
llbraughler subscribed.Jan 24 2015, 2:17 AM
zhaofengli subscribed.Jan 24 2015, 3:03 AM
Krenair mentioned this in T86773: Disable storage workflow check for schema in SprintQuery (SprintDAO-LiskDAO).Jan 26 2015, 3:30 PM
cpa199 subscribed.Jan 26 2015, 3:31 PM
siebrand unsubscribed.Jan 26 2015, 10:10 PM
siebrand subscribed.
siebrand added a comment.Jan 26 2015, 11:09 PM

Is it possible to get an update on the status of this issue?

Nikerabbit subscribed.Jan 26 2015, 11:09 PM
demon added a comment.Jan 26 2015, 11:22 PM

I don't know what broke. I blame Github's side, we changed nothing on Gerrit.

siebrand added a comment.Jan 26 2015, 11:31 PM

Is any effort being made to track or report this issue at GitHub? This not working hampers my development workflow, as I pull all of my repos from GitHub instead of from Gerrit, because it's (usually) much more reliable and faster.

JanZerebecki subscribed.Jan 28 2015, 12:12 PM
valhallasw subscribed.Jan 28 2015, 12:28 PM

Do manual pushes with the wmfgerrit account work? I.e.

git clone https://gerrit.wikimedia.org/r/pywikibot/core
cd core
git remote add github https://wmfgerrit@github.com/wikimedia/pywikibot-core
git push github origin/master:master

the normal git client might report a more detailed error.

XZise subscribed.Jan 28 2015, 12:34 PM
valhallasw added a comment.EditedJan 28 2015, 12:37 PM

A few more things:

Last, but not least: is this actively being worked on? It has been broken for over a week now, without any visible progress to a solution, even though this issue breaks many people's workflows.

Legoktm added a comment.Jan 28 2015, 2:44 PM
In T87248#998098, @valhallasw wrote:

Yup, that's using a different script and account.

Legoktm added a subscriber: Krinkle.Jan 28 2015, 2:48 PM

In https://github.com/orgs/wikimedia/audit-log:

@Krinkle enabled third-party application access restrictions for the Wikimedia organization

https://help.github.com/articles/enabling-third-party-application-restrictions-for-your-organization/ says "Enabling third-party application restrictions will revoke organization access for all previously authorized applications and SSH keys. For more information, see "About third-party application restrictions.""

Legoktm added a comment.Jan 28 2015, 2:50 PM
In T87248#998289, @Legoktm wrote:

https://help.github.com/articles/enabling-third-party-application-restrictions-for-your-organization/ says "Enabling third-party application restrictions will revoke organization access for all previously authorized applications and SSH keys. For more information, see "About third-party application restrictions.""

I disabled that and wmfgerrit is able to push now: https://github.com/wmfgerrit?tab=activity

Legoktm closed this task as Resolved.Jan 28 2015, 2:51 PM
Krinkle added a comment.Jan 28 2015, 6:32 PM

I enabled this on purpose, knowing that any use of third-party applications would be automatically flagged. And Wikimedia GitHub admins can allow them from the dashboard without much friction or formal requests.

There was no flag or request in there of any kind. And besides, what third-party application workflow is Gerrit using? It has its own account (wmfgerrit) at GitHub, why would it delegating via OAuth to a separate third-party application that is not Gerrit?

Looks like either it's incorrectly triggering this restriction, or GitHub isn't exposing it.

Legoktm added a comment.Jan 28 2015, 7:00 PM

https://help.github.com/articles/about-third-party-application-restrictions/ says:

  • SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
  • SSH keys created by applications during or after February 2014 immediately lose access to the organization's resources.

I'm guessing that's what it ran into?

cpa199 added a comment.Jan 29 2015, 9:34 AM

I know this has been marked as resolved, but it seems that the github mirror hasn't been updated still for phabricator-extensions-Sprint as it doesn't have this change for example - https://gerrit.wikimedia.org/r/#/c/186222/

Xqt added a comment.Jan 29 2015, 6:18 PM

Same vor pywikibot-i18n

valhallasw added a comment.Jan 29 2015, 6:28 PM

After +2'ing https://gerrit.wikimedia.org/r/#/c/186953/ , the repository was synced, so I presume syncs are triggered by merging a patch.

demon added a comment.Jan 29 2015, 11:12 PM

I'll kick off replication of everything in that case.

demon added a comment.Jan 29 2015, 11:15 PM

Started (see P242). Should take an hour or so to all catch up.

demon added a comment.Jan 29 2015, 11:17 PM

An hour? More like done except a couple of busted repos which is unrelated to this.

cpa199 added a comment.Jan 30 2015, 9:22 AM

Many thanks for that, I can see that it has been updated indeed.

hashar added a comment.Dec 10 2019, 10:11 AM

OAuth got enabled again via {T234991} which again broke replication T240322: Gerrit replication to GitHub is broken :]

Krinkle reopened this task as Open.Dec 12 2019, 1:43 AM
Krinkle added a subscriber: hashar.
In T87248#5727388, @hashar wrote:

OAuth got enabled again via T234991 …

"OAuth restrictions" were enabled, which, if I understand correctly, effectively disables "OAuth" as used by Gerrit. Is that right?

Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptDec 12 2019, 1:43 AM
Jdforrester-WMF closed this task as Resolved.Dec 17 2019, 11:20 AM
Jdforrester-WMF subscribed.
In T87248#5734391, @Krinkle wrote:
In T87248#5727388, @hashar wrote:

OAuth got enabled again via T234991 …

"OAuth restrictions" were enabled, which, if I understand correctly, effectively disables "OAuth" as used by Gerrit. Is that right?

Please open a new task. This one has been resolved since 2015.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits