This repo holds the Toolforge component configs for ClueBot related tool accounts.
Reference: https://wikitech.wikimedia.org/wiki/Help:Toolforge/Deploy_your_tool.
We use the logic contained within fabfile.py, the component config is updated via ssh, then the deployment is triggered via HTTP.
Additional objects, such as the Ingress and NetworkPolicy objects are handled via SSH.
Any changes to a tool's configuration is picked up via GitHub actions and deployed using secrets contained at the GitHub org level.
Internal repos update the configuration on releases via a GitHub application, the key of which is contained at the GitHub org level (access granted per-repo).
Manual changes are essentially limited to new components, runtime resource changes, and object (Ingress/NetworkPolicy) changes.
- Ensure
DamianZaremba Scriptshas access via toolsadmin - Create
<tool>.yamlin the root with the relevant components - Run
fab create-workflowsto create the GitHub actions config - Commit the files
- Have a cup of coffee
- Create the repo, grant it public access
- Edit the secret under the GitHub org to grant the repo access
CI_COMPONENT_CONFIGS_APP_KEY(CI_SSH_KEYis only needed for this repo and legacy repos) - Create a deployment workflow which calls
cluebotng/ci-update-component-ref - ???
- Profit
Note: CI_SSH_KEY has literal SSH access to the tool accounts, thus has access to all the secrets, it should be highly restricted.