Continuous integration/Allow list

From mediawiki.org
Jump to navigation Jump to search

All Zuul tests are limited to Gerrit users who have been manually added to the allow list of trusted users, to prevent a user from uploading malicious code as a patchset and have it executed on the continuous integration servers.

Not being on the list means that unit test failures or code style issues only get caught when a trusted user tries to test or merge the patch, so the patch author's time is wasted on waiting for an extra code review cycle even though the issues with their patch could be easily detected by a machine without causing delay. (To some extent this can be mitigated by running the tests locally but that's not always easy to do.) Being on the list does not require a high level of trust - just that they're not malicious. If you are preparing for a development-focused event such as a hackathon, please add participants beforehand. The allow list is in layout.yaml, just add the user's primary Gerrit e-mail address to the list (in escaped format). An example patchset doing that is Gerrit change 353708.

If you are on the list, you can force Zuul to run all tests on a patchset by adding a comment beginning with the word recheck in Gerrit.