After a few releases, and now that I'm trying to help someone else to
take over in case it's needed, I found a roadblock.
Whoever is doing the release, needs to have many permissions.
Otherwise, it doesn't make much sense for a person to take over release
responsibilities. For example, if Ondrej has to do 1.15.5, he would need
the following permissions (see at the end of the email).
Of course there are alternatives:
1 is to have the release nanny be supervised by people who have 'earned'
these permissions. This is a bad idea because some of the tasks just
cannot be 'supervised'. The nanny would have to ask someone to tag
repositories, modify jenkins jobs, upload GPG signatures, post to the
mailing list, tag new builds in Koji…
2 is to extend http://ci.theforeman.org/view/Release%20pipeline/ and
make it a real pipeline from 0 to release completed. At this moment,
releases that are not the first RC1 are mostly automated by
My proposal is to go forward with 2. Give Jenkins permissions to do all
of the actions needed, and whoever is the release nanny, ideally only
has to make sure all of the steps are moving forward. If something
breaks, figure out how to fix it for the next release.
This would mean making a few extra jobs before and after the current
release pipeline. In my opinion, it's the way to go to ensure anyone can
take over this responsibility.
At this moment, we are in a situation where only people who
mostly have permissions everywhere can successfully do a release without
asking many people for favors.
Personally if we complete this, I see it as a big win as it would dwarf
our bus factor for release managers & allow us to release at any pace we
desire (right now it's slow because we can't truly release things from
one day to the next due to the work involved).
Here's the list of permissions:
- Push in foreman, foreman-selinux, foreman-installer,
smart-proxy, foreman-infra, foreman-packaging
- Allow to change the auto-update URL to point to latest -stable
- Create new “Found in Release” version
- Modify jobs
- Run jobs
- Create tags
- SSH access to update the mash scripts
- Create packages
- Tag builds
- Post to foreman-announce
- Merge access in theforeman.org
- Change IRC message
- Publish in Twitter, G+
Daniel Lobato Garcia