vault

mirrors/vault

Fork 0

mirror of https://github.com/hashicorp/vault.git synced 2025-08-11 17:17:01 +02:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Ryan Cragun	d595a95c01	[VAULT-37096] pipeline(github): add `github copy pr` command (#31095 ) After the merge workflow has been reversed and branches hosted in `hashicorp/vault` are downstream from community branches hosted in `hashicorp/vault-enterprise`, most contributions to the source code will originate in `hashicorp/vault-enterprise` and be backported to a community branch in hosted in `hashicorp/vault-enterprise`. These community branches will be considered the primary source of truth and we'll automatically push changes from them to mirrors hosted in `hashicorp/vault`. This workflow ought to yield a massive efficiency boost for HashiCorp contributors with access to `hashicorp/vault-enterprise`. Before the workflow would look something like: - Develop a change in vault-enterprise - Manually extract relevant changes from your vault-enterprise branch into a new community vault branch. - Add any stubs that might be required so as to support any enterprise only changes. - Get the community change reviewed. If changes are necessary it often means changing and testing them on both the enteprise and community branches. - Merge the community change - Wait for it to sync to enterprise - Hope you changes have not broken the build. If they have, fix the build. - Update your enterprise branch - Get the enterprise branch reviewed again - Merge enterprise change - Deal with complicated backports. After the workflow will look like: - Develop the change on enterprise - Get the change reviewed - Address feedback and test on the same branch - Merge the change - Automation will extract community changes and create a community backport PR for you depending on changes files and branch activeness. - Automation will create any enterprise backports for you. - Fix any backport as necessary - Merge the changes - The pipeline will automatically push the changes to the community branch mirror hosted in hashicorp/vault. No more - Duplicative reviews - Risky merges - Waiting for changes to sync from community to enterprise - Manual decompistion of changes from enterprise and community - Doing the same PR 3 times - Dealing with a different backport process depending on which branches are active or not. These changes do come at cost however. Since they always originate from `vault-enterprise` only HashiCorp employees can take advatange of the workflow. We need to be able to support community contributions that originate from the mirrors but retain attribution. That's what this PR is designed to do. The community will be able to open a pull request as normal and have it reviewed as such, but rather than merging it into the mirror we'll instead copy the PR and open it against the corresponding enterprise base branch and have it merged it from there. The change will automatically get backported to the community branch if necessary, which eventually makes it back to the mirror in hashicorp/vault. To handle our squash merge workflow while retaining the correct attribution, we'll automatically create merge commits in the copied PR that include `Co-Authored-By:` trailers for all commit authors on the original PR. We also take care to ensure that the HashiCorp maitainers that approve the PR and/or are assigned to it are also assigned to the copied PR. This change is only the tooling to enable it. The workflow that drives it will be implemented in VAULT-34827. Signed-off-by: Ryan Cragun <me@ryan.ec>	2025-06-25 15:20:57 -06:00
Ryan Cragun	025a6d5071	[VAULT-34829] pipeline(backport): add `github create backport` command (#30713 ) Add a new `github create backport` sub-command that can create a backport of a given pull request. The command has been designed around a Github Actions workflow where it is triggered on a closed pull request event with a guard that checks for merges: ```yaml pull_request_target: types: closed jobs: backport: if: github.even.pull_request.merged runs-on: "..." ``` Eventually this sub-command (or another similar one) can be used to implemente backporting a CE pull request to the corresponding ce/* branch in vault-enterprise. This functionality will be implemented in VAULT-34827. This backport runner has several new behaviors not present in the existing backport assistant: - If the source PR was made against an enterprise branch we'll assume that we want create a CE backport. - Enterprise only files will be automatically _removed_ from the CE backport for you. This will not guarantee a working CE pull request but does quite a bit of the heavy lifting for you. - If the change only contains enterprise files we'll skip creating a CE backport. - If the corresponding CE branch is inactive (as defined in .release/versions.hcl) then we will skip creating a backport in most cases. The exceptions are changes that include docs, README, or pipeline changes as we assume that even active branches will want those changes. - Backport labels still work but _only_ to enterprise PR's. It is assumed that when the subsequent PRs are merged that their corresponding CE backports will be created. - Backport labels no longer include editions. They will now use the same schema as active versions defined .release/verions.hcl. E.g. `backport/1.19.x`. `main` is always assumed to be active. - The runner will always try and update the source PR with a Github comment regarding the status of each individual backport. Even if one attempt at backporting fails we'll continue until we've attempted all backports. Signed-off-by: Ryan Cragun <me@ryan.ec>	2025-05-23 14:02:24 -06:00
Ryan Cragun	cb321ce774	[VAULT-36201] pipeline(git): add Go git client (#30645 ) As I was working on VAULT-34829 it became clear that we needed to solve the problem of using Git from Go. Initially I tried to use the go-git/go-git pure Go implementation of Git, but it lacked several features that we needed. The next best option seemed to be shelling out to Git. What started as a simple way to execute Git commands with the requisite environment and configuration led to the implementation. A few notes: - I did not add support for all flags for the implemented sub-commands - I wanted it to handle automatic inject and configuration of PATs when operating against private remote repositories in Github. - I did not want to rely on the local machine having been configured. The client that is built in is capable of configuring everything that we need via environment variables. - I chose to go the environment variable route for configuration as it's the only way to not overwrite local configuration or set up our own cred store. As the git client ended up being ~50% of the work for VAULT-34829, I decided to extract it out into its own PR to reduce the review burden. NOTE: While we don't use it in CI, there is .golanci.yml present in the the tree and it causes problems in editors that expect it to be V2. As such I migrated it. Signed-off-by: Ryan Cragun <me@ryan.ec>	2025-05-16 12:41:31 -06:00

Ryan Cragun

d595a95c01

[VAULT-37096] pipeline(github): add github copy pr command (#31095 )

After the merge workflow has been reversed and branches hosted in
`hashicorp/vault` are downstream from community branches hosted in
`hashicorp/vault-enterprise`, most contributions to the source code
will originate in `hashicorp/vault-enterprise` and be backported to
a community branch in hosted in `hashicorp/vault-enterprise`. These
community branches will be considered the primary source of truth and
we'll automatically push changes from them to mirrors hosted in
`hashicorp/vault`.

This workflow ought to yield a massive efficiency boost for HashiCorp
contributors with access to `hashicorp/vault-enterprise`. Before the
workflow would look something like:
  - Develop a change in vault-enterprise
  - Manually extract relevant changes from your vault-enterprise branch
    into a new community vault branch.
  - Add any stubs that might be required so as to support any enterprise
    only changes.
  - Get the community change reviewed. If changes are necessary it often
    means changing and testing them on both the enteprise and community
    branches.
  - Merge the community change
  - Wait for it to sync to enterprise
  - *Hope you changes have not broken the build*. If they have, fix the
    build.
  - Update your enterprise branch
  - Get the enterprise branch reviewed again
  - Merge enterprise change
  - Deal with complicated backports.

After the workflow will look like:
  - Develop the change on enterprise
  - Get the change reviewed
  - Address feedback and test on the same branch
  - Merge the change
  - Automation will extract community changes and create a community
    backport PR for you depending on changes files and branch
    activeness.
  - Automation will create any enterprise backports for you.
  - Fix any backport as necessary
  - Merge the changes
  - The pipeline will automatically push the changes to the community
    branch mirror hosted in hashicorp/vault.

No more
 - Duplicative reviews
 - Risky merges
 - Waiting for changes to sync from community to enterprise
 - Manual decompistion of changes from enterprise and community
 - *Doing the same PR 3 times*
 - Dealing with a different backport process depending on which branches
   are active or not.

These changes do come at cost however. Since they always originate from
`vault-enterprise` only HashiCorp employees can take advatange of the
workflow. We need to be able to support community contributions that
originate from the mirrors but retain attribution.

That's what this PR is designed to do. The community will be able to
open a pull request as normal and have it reviewed as such, but rather
than merging it into the mirror we'll instead copy the PR and open it
against the corresponding enterprise base branch and have it merged it
from there. The change will automatically get backported to the
community branch if necessary, which eventually makes it back to the
mirror in hashicorp/vault.

To handle our squash merge workflow while retaining the correct
attribution, we'll automatically create merge commits in the copied PR
that include `Co-Authored-By:` trailers for all commit authors on the
original PR.

We also take care to ensure that the HashiCorp maitainers that approve
the PR and/or are assigned to it are also assigned to the copied PR.

This change is only the tooling to enable it. The workflow that drives
it will be implemented in VAULT-34827.

Signed-off-by: Ryan Cragun <me@ryan.ec>

2025-06-25 15:20:57 -06:00

Ryan Cragun

025a6d5071

[VAULT-34829] pipeline(backport): add github create backport command (#30713 )

Add a new `github create backport` sub-command that can create a
backport of a given pull request. The command has been designed around a
Github Actions workflow where it is triggered on a closed pull request
event with a guard that checks for merges:

```yaml
pull_request_target:
  types: closed

jobs:
  backport:
    if: github.even.pull_request.merged
    runs-on: "..."
```

Eventually this sub-command (or another similar one) can be used to
implemente backporting a CE pull request to the corresponding ce/*
branch in vault-enterprise. This functionality will be implemented in
VAULT-34827.

This backport runner has several new behaviors not present in the
existing backport assistant:
  - If the source PR was made against an enterprise branch we'll assume
    that we want create a CE backport.
  - Enterprise only files will be automatically _removed_ from the CE
    backport for you. This will not guarantee a working CE pull request
    but does quite a bit of the heavy lifting for you.
  - If the change only contains enterprise files we'll skip creating a
    CE backport.
  - If the corresponding CE branch is inactive (as defined in
    .release/versions.hcl) then we will skip creating a backport in most
    cases. The exceptions are changes that include docs, README, or
    pipeline changes as we assume that even active branches will want
    those changes.
  - Backport labels still work but _only_ to enterprise PR's. It is
    assumed that when the subsequent PRs are merged that their
    corresponding CE backports will be created.
  - Backport labels no longer include editions. They will now use the
    same schema as active versions defined .release/verions.hcl. E.g.
    `backport/1.19.x`. `main` is always assumed to be active.
  - The runner will always try and update the source PR with a Github
    comment regarding the status of each individual backport. Even if
    one attempt at backporting fails we'll continue until we've
    attempted all backports.

Signed-off-by: Ryan Cragun <me@ryan.ec>

2025-05-23 14:02:24 -06:00

Ryan Cragun

cb321ce774

[VAULT-36201] pipeline(git): add Go git client (#30645 )

As I was working on VAULT-34829 it became clear that we needed to solve
the problem of using Git from Go. Initially I tried to use the
go-git/go-git pure Go implementation of Git, but it lacked several
features that we needed.

The next best option seemed to be shelling out to Git. What started as a
simple way to execute Git commands with the requisite environment and
configuration led to the implementation.

A few notes:
- I did not add support for all flags for the implemented sub-commands
- I wanted it to handle automatic inject and configuration of PATs when
  operating against private remote repositories in Github.
- I did not want to rely on the local machine having been configured.
  The client that is built in is capable of configuring everything that
  we need via environment variables.
- I chose to go the environment variable route for configuration as it's
  the only way to not overwrite local configuration or set up our own
  cred store.

As the git client ended up being ~50% of the work for VAULT-34829, I
decided to extract it out into its own PR to reduce the review burden.

NOTE: While we don't use it in CI, there is .golanci.yml present in the
 the tree and it causes problems in editors that expect it to be V2. As
 such I migrated it.

Signed-off-by: Ryan Cragun <me@ryan.ec>

2025-05-16 12:41:31 -06:00

3 Commits