[Qemu-devel] [PATCH v2] .travis.yml: Disable IRC build status updates from forks

[Qemu-devel] [PATCH v2] .travis.yml: Disable IRC build status updates from forks

[Pranith Kumar]

We want the travis build bot to post notifications on IRC only for the
master qemu repository and not the various forks/branches of
others. Currently there is no direct option to restrict the updates to
one repository. This is being worked upon by the developers and
tracked in https://github.com/travis-ci/travis-ci/issues/1094.

Until such time, we can use the workaround as posted in
ref. https://github.com/facebook/flow/pull/1822.

This basically creates an ecrypted string which decrypts to qemu IRC
channel only on "qemu/qemu" repo and not on the forks. This enables
the build bot to notify the IRC only for the main repo.

Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
CC: serge.fdrv@gmail.com
CC: peter.maydell@linaro.org
---
v2: Add comment about what the string is and how the string is generated

 .travis.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index c13881e..f30b10e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,10 +34,13 @@ addons:
       - sparse
       - uuid-dev
 
+# The channel name "irc.oftc.net#qemu" is encrypted against qemu/qemu
+# to prevent IRC notifications from forks. This was created using:
+# $ travis encrypt -r "qemu/qemu" "irc.oftc.net#qemu"
 notifications:
   irc:
     channels:
-      - "irc.oftc.net#qemu"
+      - secure: "F7GDRgjuOo5IUyRLqSkmDL7kvdU4UcH3Lm/W2db2JnDHTGCqgEdaYEYKciyCLZ57vOTsTsOgesN8iUT7hNHBd1KWKjZe9KDTZWppWRYVwAwQMzVeSOsbbU4tRoJ6Pp+3qhH1Z0eGYR9ZgKYAoTumDFgSAYRp4IscKS8jkoedOqM="
     on_success: change
     on_failure: always
 env:
-- 
2.9.0

Re: [Qemu-devel] [PATCH v2] .travis.yml: Disable IRC build status updates from forks

[Alex Bennée]

Pranith Kumar <bobby.prani@gmail.com> writes:

> We want the travis build bot to post notifications on IRC only for the
> master qemu repository and not the various forks/branches of
> others. Currently there is no direct option to restrict the updates to
> one repository. This is being worked upon by the developers and
> tracked in https://github.com/travis-ci/travis-ci/issues/1094.
>
> Until such time, we can use the workaround as posted in
> ref. https://github.com/facebook/flow/pull/1822.
>
> This basically creates an ecrypted string which decrypts to qemu IRC
> channel only on "qemu/qemu" repo and not on the forks. This enables
> the build bot to notify the IRC only for the main repo.
>
> Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
> CC: serge.fdrv@gmail.com
> CC: peter.maydell@linaro.org
> ---
> v2: Add comment about what the string is and how the string is generated
>
>  .travis.yml | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/.travis.yml b/.travis.yml
> index c13881e..f30b10e 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -34,10 +34,13 @@ addons:
>        - sparse
>        - uuid-dev
>
> +# The channel name "irc.oftc.net#qemu" is encrypted against qemu/qemu
> +# to prevent IRC notifications from forks. This was created using:
> +# $ travis encrypt -r "qemu/qemu" "irc.oftc.net#qemu"

Interesting. I didn't realise anyone outside the repository can still
create encrypted strings. I guess there is a repository secret that we
never see.

>  notifications:
>    irc:
>      channels:
> -      - "irc.oftc.net#qemu"
> +      - secure: "F7GDRgjuOo5IUyRLqSkmDL7kvdU4UcH3Lm/W2db2JnDHTGCqgEdaYEYKciyCLZ57vOTsTsOgesN8iUT7hNHBd1KWKjZe9KDTZWppWRYVwAwQMzVeSOsbbU4tRoJ6Pp+3qhH1Z0eGYR9ZgKYAoTumDFgSAYRp4IscKS8jkoedOqM="
>      on_success: change
>      on_failure: always
>  env:


--
Alex Bennée

Re: [Qemu-devel] [PATCH v2] .travis.yml: Disable IRC build status updates from forks

[Pranith Kumar]

On Tue, Jun 28, 2016 at 7:58 AM, Alex Bennée <alex.bennee@linaro.org> wrote:
>>
>> +# The channel name "irc.oftc.net#qemu" is encrypted against qemu/qemu
>> +# to prevent IRC notifications from forks. This was created using:
>> +# $ travis encrypt -r "qemu/qemu" "irc.oftc.net#qemu"
>
> Interesting. I didn't realise anyone outside the repository can still
> create encrypted strings. I guess there is a repository secret that we
> never see.

Yes, there is a per-repo private key which is not disclosed to anyone
and is used to decrypt this string. You can only have access to the
public key of the repo to create the encrypted string as above.

-- 
Pranith

Re: [Qemu-devel] [PATCH v2] .travis.yml: Disable IRC build status updates from forks

[Alex Bennée]

Pranith Kumar <bobby.prani@gmail.com> writes:

> On Tue, Jun 28, 2016 at 7:58 AM, Alex Bennée <alex.bennee@linaro.org> wrote:
>>>
>>> +# The channel name "irc.oftc.net#qemu" is encrypted against qemu/qemu
>>> +# to prevent IRC notifications from forks. This was created using:
>>> +# $ travis encrypt -r "qemu/qemu" "irc.oftc.net#qemu"
>>
>> Interesting. I didn't realise anyone outside the repository can still
>> create encrypted strings. I guess there is a repository secret that we
>> never see.
>
> Yes, there is a per-repo private key which is not disclosed to anyone
> and is used to decrypt this string. You can only have access to the
> public key of the repo to create the encrypted string as above.

Cool. Applied to travis/next.

Thanks.

--
Alex Bennée