mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-05 09:24:12 +01:00
5.5 KiB
5.5 KiB
Procedure for adding an official project to GitLab
Details
- Project name: my-example
- Type: MIGRATION or NEW PROJECT
- Current location: git.archlinux.org/my-example.git
New repo checklist
If you want to add a new official project, here are some guidelines to follow:
- Evaluate whether the project can sit in the official GitLab Arch Linux group or whether it needs its own group. It only needs its own group if the primary development group is somehow detached from Arch Linux and only losely related (for instance: pacman)
- After project creation (use the GitLab import function if you migrate a repo), add the responsible people to the project
in the Members page (https://gitlab.archlinux.org/archlinux/my-example/-/project_members)
and give them the
Developer
role. The idea is to let these people mostly manage their own project while not giving them enough permissions to be able to misconfigure the project. - If mirroring to github.com is desired, work through the GitHub.com mirroring checklist below and then return to this one.
- If the project needs a secure runner to build trusted artifacts, coordinate with the rest of the DevOps team and if found to be reasonable, assign a secure runner to a protected branch of the project.
- If a secure runner is used, create an MR to make sure the project's
.gitlab-ci.yml
specifiestags: secure
. - Make sure that the Push Rules in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository
reflect these values:
Reject unverified users
:on
Reject unsigned commits
:on
Do not allow users to remove tags with git push
:on
Check whether author is a GitLab user
:on
Prevent pushing secret files
:on
- All of these should be activated by default as per group rules but it's good to check.
- The Protected Branches in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository should specify
Allowed to merge
andAllowed to push
asDevelopers + Maintainers.
- Disable unneeded project features under Visibility, project features, permissions (https://gitlab.archlinux.org/archlinux/my-example/edit)
Always:
Users can request access
:off
Often, but not always:- Repository -> Container registry
- Repository -> Git Large File Storage (LFS)
- Repository -> Packages
- Analytics
- Requirements
- Security & Compliance
- Wiki
- Operations
GitHub.com mirroring checklist
GitLab side
- If you want to mirror your repository "my-example" from gitlab.archlinux.org to the github.com/archlinux organization, you should create an empty project for your project at github.com/archlinux/my-example or if that's an existing repository, make sure that the current histories of the source and target repository are exactly the same.
- Go to https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository and open
Mirroring repositories. Make sure it has these settings:
Git repository URL
:ssh://git@github.com/archlinux/my-example.git
Mirror direction
:Push
Authentication method
:SSH public key
Only mirror protected branches
:off
- Click
Mirror repository
. - A new entry will pop up which has a button titled
Copy SSH public key
. Click that to copy the public key to your clipboard.
GitHub side
- Log in with your primary GitHub account.
- Go to https://github.com/archlinux/my-example/settings/access and assign the
Admin
role to the GitHub accountarchlinux-github
. - Log in as the
archlinux-github
technical user. This is important as otherwise pushes won't be associated correctly. - Go to https://github.com/archlinux/my-example/settings/keys and add a new deploy key.
- Name it "gitlab.archlinux.org" so we know where it's from.
- Paste the public key you copied from GitLab earlier.
- Check
Allow write access
. - Click
Add key
. - Verify the push mirror works by clicking the
Update now
button. - In the repository settings on GitHub's side you should disable a few things to clean up the project page:
GitHub Actions
Wiki
Issues
Projects
- Go to https://github.com/archlinux/my-example/settings/hooks and add a new webhook
Payload URL
:$(misc/get_key.py misc/vaults/vault_github.yml github_pull_closer_webhook_url)
Content type
:application/json
Which events would you like to trigger this webhook?
Let me select individual events.
:Pull requests
- In the GitHub description of the mirrored project, append " (read-only mirror)" so that people know it's a mirror.
- Disable
Packages
andEnvironments
from being shown on the main page. - In the website field put the full url to the repository on our GitLab.
- Go to https://github.com/archlinux/my-example/settings/access and remove the GitHub account
archlinux-github
- Go to https://github.com/orgs/archlinux/teams/read-only-mirrors/repositories and add the repository with
write
permission