#!/bin/bash -e # # Purpose: # This script is responsible for determining the owner of a gerrit # commit, verifying they are within an approved gerrit group, and # then updating gerrit with that verification info. # # Note: It is assumed this script is run as a part of a jenkins job triggered # by the gerrit plugin. Therefore it assumes certain env variables # provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...) # # Required Inputs: # SSH_KEY: Path to private ssh key used to post messages to gerrit GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc-project.xyz" GERRIT_SSH_CMD=( \ ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \ -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \ ) echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}" # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit. COMMITTER_EMAIL=$(${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python2 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['committer']['email'])") if [ "${COMMITTER_EMAIL}" = "" ]; then echo "Unable to find committer." "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=0 "--message='Unable to determine committer'" exit 1 fi #echo "Commit by '${COMMITTER_EMAIL}'" # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit. COMMITTER_USERNAME=$(${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python2 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['username'])") #COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}` echo "USERNAME: $COMMITTER_USERNAME" if [ "${COMMITTER_USERNAME}" = "" ]; then echo "Unable to determine github user for ${COMMITTER_EMAIL}." "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=0 "--message='Unable to determine github user'" exit 1 fi # Reset the vote to 0 so jenkins will detect a new +1 on retriggers "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=0 -t autogenerated:jenkins --notify=NONE # Write full list of users to a file GERRIT_CI_GROUPS=( \ alibaba/ci-authorized \ amd/ci-authorized \ ami/ci-authorized \ ampere/ci-authorized \ arm/ci-authorized \ aspeed/ci-authorized \ bytedance/ci-authorized \ code-construct/ci-authorized \ erg/ci-authorized \ facebook/ci-authorized \ fii/ci-authorized \ gager-in/ci-authorized \ google/ci-authorized \ hcl/ci-authorized \ hpe/ci-authorized \ ibm/ci-authorized \ individual/ci-authorized \ inspur/ci-authorized \ intel/ci-authorized \ inventec/ci-authorized \ lenovo/ci-authorized \ nineelements/ci-authorized \ nuvoton/ci-authorized \ nvidia/ci-authorized \ openbmc/ci-authorized \ pcpartner/ci-authorized \ quanta/ci-authorized \ rcs/ci-authorized \ supermicro/ci-authorized \ wistron/ci-authorized \ wiwynn/ci-authorized \ yadro/ci-authorized \ ) rm -f "$WORKSPACE/users.txt" for g in "${GERRIT_CI_GROUPS[@]}"; do "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \ >> "$WORKSPACE/users.txt" done # grep for the specific username word in the file if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \ "--message='User approved, CI ok to start'" # Immediately erase the score to prevent infinite triggers. "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=0 -t autogenerated:jenkins --notify=NONE exit 0 fi echo "${COMMITTER_USERNAME} is not on the approved list." "${GERRIT_SSH_CMD[@]}" review \ "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ --ok-to-test=0 -t autogenerated:jenkins \ "--message='User not approved, see admin, no CI'" exit 0