1#!/bin/bash -e 2# 3# Purpose: 4# This script is responsible for determining the owner of a gerrit 5# commit, verifying they are within an approved gerrit group, and 6# then updating gerrit with that verification info. 7# 8# Note: It is assumed this script is run as a part of a jenkins job triggered 9# by the gerrit plugin. Therefore it assumes certain env variables 10# provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...) 11# 12# Required Inputs: 13# SSH_KEY: Path to private ssh key used to post messages to gerrit 14 15GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org" 16GERRIT_SSH_CMD=( \ 17 ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \ 18 -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \ 19) 20 21echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}" 22 23# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit. 24COMMITTER_EMAIL=$(${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['committer']['email'])") 25if [ "${COMMITTER_EMAIL}" = "" ]; then 26 echo "Unable to find committer." 27 "${GERRIT_SSH_CMD[@]}" review \ 28 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 29 --ok-to-test=0 "--message='Unable to determine committer'" 30 exit 1 31fi 32 33#echo "Commit by '${COMMITTER_EMAIL}'" 34# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit. 35COMMITTER_USERNAME=$(${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['username'])") 36#COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}` 37echo "USERNAME: $COMMITTER_USERNAME" 38if [ "${COMMITTER_USERNAME}" = "" ]; then 39 echo "Unable to determine github user for ${COMMITTER_EMAIL}." 40 "${GERRIT_SSH_CMD[@]}" review \ 41 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 42 --ok-to-test=0 "--message='Unable to determine github user'" 43 exit 1 44fi 45 46# Reset the vote to 0 so jenkins will detect a new +1 on retriggers 47"${GERRIT_SSH_CMD[@]}" review \ 48 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 49 --ok-to-test=0 -t autogenerated:jenkins --notify=NONE 50 51# Add reviewers based on OWNERS files. 52"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers | 53{ 54 while read -r reviewer ; 55 do 56 # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit. 57 ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \ 58 -X POST \ 59 -H "Content-Type: application/json" \ 60 -d "$reviewer" || true 61 done 62} || true 63 64# Write full list of users to a file 65GERRIT_CI_GROUPS=( \ 66 alibaba/ci-authorized \ 67 amd/ci-authorized \ 68 ami/ci-authorized \ 69 ampere/ci-authorized \ 70 arm/ci-authorized \ 71 aspeed/ci-authorized \ 72 bytedance/ci-authorized \ 73 code-construct/ci-authorized \ 74 depo/ci-authorized \ 75 erg/ci-authorized \ 76 facebook/ci-authorized \ 77 fii/ci-authorized \ 78 gager-in/ci-authorized \ 79 google/ci-authorized \ 80 hcl/ci-authorized \ 81 hpe/ci-authorized \ 82 ibm/ci-authorized \ 83 individual/ci-authorized \ 84 inspur/ci-authorized \ 85 intel/ci-authorized \ 86 inventec/ci-authorized \ 87 lenovo/ci-authorized \ 88 nineelements/ci-authorized \ 89 nuvoton/ci-authorized \ 90 nvidia/ci-authorized \ 91 openbmc/ci-authorized \ 92 pcpartner/ci-authorized \ 93 phytium/ci-authorized \ 94 quanta/ci-authorized \ 95 quic/ci-authorized \ 96 rcs/ci-authorized \ 97 supermicro/ci-authorized \ 98 wistron/ci-authorized \ 99 wiwynn/ci-authorized \ 100 yadro/ci-authorized \ 101) 102 103rm -f "$WORKSPACE/users.txt" 104for g in "${GERRIT_CI_GROUPS[@]}"; do 105 "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \ 106 >> "$WORKSPACE/users.txt" 107done 108 109# grep for the specific username word in the file 110if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then 111 "${GERRIT_SSH_CMD[@]}" review \ 112 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 113 --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \ 114 "--message='User approved, CI ok to start'" 115 116 # Immediately erase the score to prevent infinite triggers. 117 "${GERRIT_SSH_CMD[@]}" review \ 118 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 119 --ok-to-test=0 -t autogenerated:jenkins --notify=NONE 120 121 exit 0 122fi 123 124echo "${COMMITTER_USERNAME} is not on the approved list." 125"${GERRIT_SSH_CMD[@]}" review \ 126 "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \ 127 --ok-to-test=0 -t autogenerated:jenkins \ 128 "--message='User not approved, see admin, no CI'" 129 130exit 0 131