Comments (9)
@michaelsauter - Part of this is also the shared lib fix of Image labels
from ods-core.
Can you please explain the shared lib fix of image labels in more detail?
from ods-core.
@ungerts See opendevstack/ods-jenkins-shared-library#65.
from ods-core.
@ungerts fixed now?
from ods-core.
@ungerts - where is this fix? @stitakis - do you remember? .. this one we need badly? .. and I remember to have seen it?!
from ods-core.
I don't know of anything that enforced a link to a Jira ticket. What "fix" are you referring to?>
from ods-core.
So there is a plugin - https://github.com/sford/yet-another-commit-checker that allows exactly this ... we should take a look at it.
from ods-core.
I can't remember that I looked into this. Sorry!
The plugin description looks promising and it is available for installation in the Atlassina Marketplace.
Apart from it I found 2 commercial plugin that we could consider (also availabe over the Atlassian Marketplace):
Jira Hook for BitBucket: https://devopssystems.atlassian.net/wiki/spaces/JHFS/overview
Better Commit Policty for BB: https://www.midori-global.com/products/better-commit-policy-for-bitbucket/server/
from ods-core.
Alright, I have been thinking about this one :)
At the most basic level, we want every commit to have a reference to a Jira ticket. So the obvious thing would be to have a Jira ID somewhere in every commit message. E.g. for a project FOO
, we have FOO-123
in a commit message to express that this commit relates to issue 123
. Using the branch name as a reference is not an option - while Jira can do the connection while the branch exists, the commit may end up on other branches and we cannot trace it any longer.
Anyway - if we have the Jira ticket in the commit message, we can simply add a check in the shared library that fails if there is no reference. This would be very similar to the "ci skip feature", so should be trivial to implement.
However, I see the following problems with above approach:
- There's an initial commit, which has not ticket reference. I think we need to exclude that commit from the check (probably by checking if there is a parent, e.g.
git show --no-patch --format="%P" <commit hash>
. - There might be merge commits, which have no ticket reference either. Merge commits might exist because PRs are not merged with
--ff-only
or if one re-integrates e.g. release branches with the main development branch. The easiest solution I see here is to exclude merge commits (also viagit show --no-patch --format="%P" <commit hash>
- if there are two parents, it's a merge). Right now I don't see a way to prevent that someone sneaks in unwanted changes into a merge commit, without disallowing merges. Doing that would work when fast-forward is enforced, but it would mean that re-integration must be done via cherry-picking, which is cumbersome. - There are automated commits in the orchestration pipeline, and they also have no ticket reference. As far as I am aware, there are three types of automated commits right now: 1) exporting OpenShift resources, 2) writing of the deployment descriptor and 3) re-integration into the main branch. Personally, I believe that (1) has no place in a compliant environment: it basically defeats the whole purpose of enforcing a Jira ticket reference. If you want traceability, you cannot sneak changes to your "infrastructure" in without telling who did what exactly when and for which reasons. This commit does not happen if you define infra yourself, so right now I see this a requirement if you want to enforce traceability. (2) is a tricky problem - maybe it would have been better to store the image SHAs outside the repo (e.g. Nexus). For now the only solution I see is excluding this specific commit from the check, which suffers the same traceability issues mentioned above. Finally, (3) is a merge commit and would be already solved by excluding merge commits as suggested earlier.
With that said, we might give this approach (verify every commit, but have exclusions for all problems outlined above) a shot in our next initiative. Then we can gather some real-world experience how much pain enforcing this really is.
FYI @clemensutschig @stitakis @martsec @metmajer @renedupont
from ods-core.
Related Issues (20)
- Update Containers Probes in Jenkins HOT 1
- Enable PR pipeline execution when opened HOT 3
- Remove sonar-crowd plugin in SonarQube HOT 2
- periodically build and publish jenkins-agent-base HOT 1
- outdated snyk version in ci workflow HOT 1
- outdated helm version in Jenkins base agent
- Outdated git-lfs version
- CI Workflows error out on Ubuntu 18 use
- Removal of Centos and deprecation of ODSBox HOT 2
- SonarQube maintenance
- Update and align Aqua version with cli
- SonarQube Rust support
- webhook proxy feature for jenkins idling HOT 1
- Jenkins maintenance
- auto-update (PR) github actions
- tests/go.mod,go.sum maintenance
- Trivy into Jenkins Agents
- Nexus maintenance
- Error adding ALLOWED_CHANGE_REF_TYPES as env variable HOT 2
- Configuration mismatch on Prov-app and ods-core repositories
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ods-core.