... | ... | @@ -292,6 +292,30 @@ clone](https://gitlab.torproject.org/help/ci/pipelines/settings#limit-the-number |
|
|
|
|
|
See [howto/upgrades#gitlab-runner-upgrades](howto/upgrades#gitlab-runner-upgrades).
|
|
|
|
|
|
### CI templates checks failing on 403
|
|
|
|
|
|
If the `test` job in the [ci-templates](https://gitlab.torproject.org/tpo/tpa/ci-templates/) project fails with:
|
|
|
|
|
|
ERROR: failed to call API endpoint: 403 Client Error: Forbidden for url: https://gitlab.torproject.org/api/v4/projects/1156/ci/lint, is the token valid?
|
|
|
|
|
|
It's probably because the access token used by the job expired. To fix
|
|
|
this:
|
|
|
|
|
|
1. go to the project's [access tokens](https://gitlab.torproject.org/tpo/tpa/ci-templates/-/settings/access_tokens) page
|
|
|
|
|
|
2. select `Add new token` and make a token with the following
|
|
|
parameters:
|
|
|
|
|
|
* name: `tpo/tpa/ci-templates#17`
|
|
|
* expiration: "cleared" (will be one year)
|
|
|
* role: Maintainer
|
|
|
* scope: `api`
|
|
|
|
|
|
3. copy the secret and paste it in the [CI/CD](https://gitlab.torproject.org/tpo/tpa/ci-templates/-/settings/ci_cd) "Variables"
|
|
|
section, in the `GITLAB_PRIVATE_TOKEN` variable
|
|
|
|
|
|
See the [gitlab-ci.yml templates](#gitlab-ci-yml-templates) section for a discussion.
|
|
|
|
|
|
## Disaster recovery
|
|
|
|
|
|
Runners should be disposable: if a runner is destroyed, at most the
|
... | ... | @@ -740,6 +764,25 @@ It could eventually also run those services: |
|
|
built by GitLab runners and published on the GitLab server (or
|
|
|
elsewhere). this is a requirement to replace Jenkins
|
|
|
|
|
|
### gitlab-ci.yml templates
|
|
|
|
|
|
TPA offers a set of [CI templates](https://gitlab.torproject.org/tpo/tpa/ci-templates) files that can be used to do
|
|
|
tasks common to multiple projects. It is currently mostly used to
|
|
|
build websites and [deploy them to the static mirror system](service/static-shim) but
|
|
|
could be expanded for other things.
|
|
|
|
|
|
Each template is validated through CI itself when changes are
|
|
|
proposed. This is done through a Python script shipped inside the
|
|
|
repository which assumes the `GITLAB_PRIVATE_TOKEN` variable contains
|
|
|
a valid access token with privileges (specifically `Maintainer` role
|
|
|
with `api` scope).
|
|
|
|
|
|
That access token is currently a project-level access token that needs
|
|
|
to be renewed yearly, see [tpo/tpa/ci-templates#17](https://gitlab.torproject.org/tpo/tpa/ci-templates/-/issues/17) for an incident
|
|
|
where that expired. Ideally, the ephemeral `CI_JOB_TOKEN` should be
|
|
|
useable for this, see [upstream gitlab-org/gitlab#438781](https://gitlab.com/gitlab-org/gitlab/-/issues/438781) for that
|
|
|
proposal.
|
|
|
|
|
|
## Issues
|
|
|
|
|
|
[File][] or [search][] for issues in our [GitLab issue
|
... | ... | |