[Intel-gfx] [PATCH 2/2] dim: sign pull-request tags if the GPG key is configured

Sean Paul seanpaul at chromium.org
Mon Sep 11 15:17:12 UTC 2017 

On Mon, Sep 11, 2017 at 9:16 AM, Jani Nikula <jani.nikula at intel.com> wrote:
> Add new environment variable $DIM_GPG_KEYID for configuring the GPG key
> ID of the key to use for signing tags for pull requests. The tags will
> be signed if the key ID is set, otherwise annotated tags will be used
> like before.
>
> The drm-intel-testing tags are left unsigned, at least for now.
>
> Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
> Cc: Joonas Lahtinen <joonas.lahtinen at linux.intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi at intel.com>
> Cc: Sean Paul <seanpaul at chromium.org>
> Signed-off-by: Jani Nikula <jani.nikula at intel.com>
>
> ---
>
> BEWARE OF THE LEOPARD! I didn't actually test this. I will try it when I
> need to tag something next.
>

Just comment out git push and test this?

Sean

> We should probably also add verification to dim apply-pull.
> ---
>  dim     |  9 ++++++---
>  dim.rst | 11 +++++++++++
>  2 files changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/dim b/dim
> index 23dfccb5513d..4d7864d8f450 100755
> --- a/dim
> +++ b/dim
> @@ -70,6 +70,9 @@ DIM_TEMPLATE_SIGNATURE=${DIM_TEMPLATE_SIGNATURE:-$HOME/.dim.template.signature}
>  # dim pull-request tag summary template
>  DIM_TEMPLATE_TAG_SUMMARY=${DIM_TEMPLATE_TAG_SUMMARY:-$HOME/.dim.template.tagsummary}
>
> +# GPG key id for signing tags. If unset, don't sign.
> +DIM_GPG_KEYID=${DIM_GPG_KEYID:+-u $DIM_GPG_KEYID}
> +
>  #
>  # Internal configuration.
>  #
> @@ -1549,7 +1552,7 @@ function dim_update_next_continue
>                 tag_testing="drm-intel-testing-$today-$((++suffix))"
>         done
>
> -       $DRY git tag -a $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
> +       $DRY git tag -a $DIM_GPG_KEYID $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>         git push $DRY_RUN $DIM_DRM_INTEL_REMOTE $tag
>
>         echo "Updating drm-intel-testing to latest drm-tip"
> @@ -1589,7 +1592,7 @@ function dim_tag_next
>                         tag="drm-intel-next-$today-$((++suffix))"
>                 done
>
> -               $DRY git tag -a $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
> +               $DRY git tag -a $DIM_GPG_KEYID $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>                 git push $DRY_RUN $DIM_DRM_INTEL_REMOTE $tag
>         else
>                 echo "drm-intel-next not up-to-date, aborting"
> @@ -1650,7 +1653,7 @@ function dim_pull_request
>                 done
>                 gitk "$branch@{upstream}" ^$upstream &
>                 prep_pull_tag_summary | $DRY git tag -F- $tag "$branch@{upstream}"
> -               $DRY git tag -a -f $tag
> +               $DRY git tag -a $DIM_GPG_KEYID -f $tag
>                 $DRY git push $remote $tag
>                 prep_pull_mail $req_file $tag
>
> diff --git a/dim.rst b/dim.rst
> index 7aacc4e776e2..65e652e8bc75 100644
> --- a/dim.rst
> +++ b/dim.rst
> @@ -349,6 +349,8 @@ recipients already set.
>  Since the tag for the *branch* is date based, the pull request can be
>  regenerated with the same commands if something goes wrong.
>
> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
> +
>  pull-request-fixes [*upstream*]
>  -------------------------------
>  **pull-request** shorthand for *drm-intel-fixes* as the branch and
> @@ -391,6 +393,8 @@ opened.
>  Also checks that the drm-intel-fixes|-next-queued are fully
>  merged into drm-tip to avoid operator error.
>
> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
> +
>  update-next-continue
>  --------------------
>
> @@ -405,6 +409,8 @@ remote is up-to-date. Useful if drm-intel-next has been changed since the last
>  run of the update-next command (e.g. to apply a hotfix before sending out the
>  pull request).
>
> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
> +
>  DIM HELP COMMANDS
>  =================
>
> @@ -498,6 +504,11 @@ DIM_TEMPLATE_TAG_SUMMARY
>  -------------------------
>  Path to a file containing the template for dim pull-request tag summaries.
>
> +DIM_GPG_KEYID
> +-------------
> +GPG key ID to use for signing tags. If set, tags will be signed. If unset, the
> +default, tags will not be signed.
> +
>  dim_alias_<alias>
>  -----------------
>  Make **<alias>** an alias for the subcommand defined as the value. For example,
> --
> 2.11.0
>

More information about the Intel-gfx mailing list