Differences between revisions 40 and 136 (spanning 96 versions)
Revision 40 as of 2018-01-05 22:48:49
Size: 10082
Editor: ?Ganneff
Comment:
Revision 136 as of 2020-08-23 18:37:21
Size: 11246
Comment: Link to SalsaCI team
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
= Users: Login and Registration =
 * [[DebianDeveloper|Debian Developers]] can login with their Debian email address
  * you need to use your official Debian email address in order to gain specific permissions for Debian Developers
  * Use password recovery on https://salsa.debian.org/users/sign_in to get a password for your account. Please don't use
    your Debian password. Salsa has its own password database.
= Support =
<<Include(Salsa/support)>>
Line 12: Line 9:
 * everyone else can register an account with an implicitly added suffix {{{-guest}}}. There is a a self service
   webfrontend for doing so at https://signup.salsa.debian.org/
= Users =
Line 15: Line 11:
= Namespace concepts (Users, Teams) = Register an account at https://salsa.debian.org/users/sign_in#register-pane
Line 17: Line 13:
== Debian Developers == == Unused accounts for DD before May 2020 ==
Line 19: Line 15:
Debian Developers get synced every 6 hours from LDAP and retain their Debian login as salsa username. Before May 2020 all Debian Developers had accounts created for them using their Debian user name.
Accounts that had never been used and never had a password set are deactivated.
Those accounts can only be used after being activated properly.
Please use any of the [[Salsa/Doc#Support|support channels]].
After being reactivated a new password can be set via the [[https://salsa.debian.org/users/password/new|password reset]].
Line 21: Line 21:
== External Users ==

To avoid clash with the Debian LDAP Usernames, external users get a suffix of -guest to their username.

== Groups ==
= Groups =
Line 31: Line 27:
== Collaborative Maintenance: "Debian" group ==

The `debian` group is for CollaborativeMaintenance (the old `collab-maint` on [[Alioth]]). The group is accessible to all Debian developers by default, who are automatically added with `Maintainer` access levels.
Direct commits to repositories in the Debian group by any Debian developer are implicitly welcome. No pre-commit coordination (e.g. merge-request or mail) is expected.

External users (non-Debian Developers) need to request write access to repositories inside `debian` group from a Debian developer they know, or their sponsor. Access should be granted to single projects and not the whole Debian group.

Projects under `debian` group cannot be transferred or deleted by anyone except Salsa administrators. In case you need to delete a project or have it transferred out into other namespaces, please contact Salsa administrators via support channel. See [[#Support]] section for contact information.

== Canonical URLs ==

The canonical URLs for use in `debian/control` are:
{{{
Vcs-Browser: https://salsa.debian.org/<user-or-team>/<package>
Vcs-Git: https://salsa.debian.org/<user-or-team>/<package>.git
}}}
where `<user-or-team>` is
 * '''alice''' for DD Alice Developer <alice@debian.org>
 * '''bob-guest''' for non-DD Bob Coder <bobc@example.com>
 * '''debian''' for the Debian/ namespace (the equivalent to collab-maint on alioth)
 * '''foobar-team''' for the Foobar Packaging Team

You can instruct git to rewrite URLs into pushable ssh URLs:
{{{
git config --global url."git@salsa.debian.org:".pushInsteadOf "https://salsa.debian.org/"
}}}
This will work for all salsa repositories checked out via https:// URLs in the present, past or future.

You can also use a shortcut for all Salsa repositories:

{{{
git config --global url."git@salsa.debian.org:".insteadOf salsa:
}}}

This way you can use a shorter commandline like this:

{{{
git clone salsa:debian/htop
}}}
Line 33: Line 69:
A project = a repository.

You can create several projects in the same namespace (user or group).

Debian Developers are able to create projects in the Debian/ Namespace. It's the Salsa equivalent of 'collab-maint' on Alioth, and non-DDs (DMs or external contributors) need to be explicitly granted commit privileges for single projects.
In GitLab, a project is one Git repository, and each Git repository needs a project. You can create several projects in the same namespace (user or group).
Line 42: Line 74:
To do so, go the project settings → integrations → project services → email on push and configure the list of recipients you want to send emails to. To do so, go the project settings → integrations → project services → emails on push and configure the list of recipients you want to send emails to.
Line 46: Line 78:
Take into account that the current implementation sends a single mail per push with all commits lumped together, which makes it rather useless for any post-review workflow. This is tracked upstream at https://gitlab.com/gitlab-org/gitlab-ce/issues/19901.

= Information on manipulating bugs by email =

GitLab has quite a lot of [[https://docs.gitlab.com/ee/user/project/quick_actions.html|text commands aka "quick actions"]] which can be used when interacting with GitLab via email. Most things can be done via email by replying to the [[https://docs.gitlab.com/ee/workflow/notifications.html|email notifications]]. There are special email addresses for creating new [[https://docs.gitlab.com/ee/user/project/merge_requests/#create-new-merge-requests-by-email|merge requests]] and [[https://docs.gitlab.com/ee/user/project/issues/create_new_issue.html#new-issue-via-email|issues]] via email.
Line 47: Line 85:
== Irker ==
Line 52: Line 90:
 * Default IRC URI: irc://irc.oftc.net:6667/  * Default IRC URI: ircs://irc.oftc.net:6697/
Line 57: Line 95:
== KGB ==

KGB supports gitlab webhooks. To use the kgb instances provided by dam, tincho, and gregoa from salsa, set a webhook in your project:

{{{http://kgb.debian.net:9418/webhook/?channel=<irc-channel-name-without-#>}}}

For details, additional parameters, and helper scripts see the KGB documentation at https://salsa.debian.org/kgb-team/kgb/wikis/usage
Line 60: Line 106:
-> integrations" and add a URL (see below), then click save. No secret Webhooks" and add a URL (see below), then click save. No secret
Line 69: Line 115:
Replace SOURCENAME with the name of your sourcepackage and chose
either close or tagpending, depending on the action you want to get.
Replace SOURCENAME with the name of your source package and chose
either close or tag pending, depending on the action you want to get.
Line 72: Line 118:
= Hints for previous users of Alioth =
''Salsa'' provides services which partially replace some features of the former [[Alioth]] service. The following hints may help you to move your packaging collaboration effort from ''Alioth'' to ''Salsa''.
You can ignore a branch or pattern, say wip/*, by providing the
ignored-namespaces parameter. See the README in code for more details.
Line 75: Line 121:
Many [[Alioth]] features are (intentionally) not provided by the ''Salsa'' platform. You may want to take a look at the [[Sprints/2017/Alioth/MeetingMinutes|related discussion during a sprint]] for the detailed reasons for this decision. Code: https://salsa.debian.org/salsa/salsa-webhook.
Line 77: Line 123:
{{{#!wiki important
There is significant overlap between this section and the [[Alioth#Deprecation_of_Alioth]] documentation. Those should be merged, somehow. -- TheAnarcat <<DateTime(2017-09-23T18:41:36Z)>>
}}}
= Deployment keys =
Line 81: Line 125:
== Custom Hooks == For automating task FIXME
Line 83: Line 127:
For security reasons it is not allowed to run arbitrary custom hooks
on repositories. You may want to write yourself a webhook receiver and
put your custom actions into such a one.
= Runners =
Line 87: Line 129:
Alternatively you may use the common webhook receiver or even enhance
it with new features, see https://salsa.debian.org/salsa/webhook for
details on it.
Salsa provides [[https://docs.gitlab.com/ce/ci/runners/#shared-specific-and-group-runners|shared runners]] for all projects to use.
All jobs without more specific tags run within a privileged Docker container on one-time-use VM.
Outbound connections from the shared runner VMs are limited to http & https.
Line 91: Line 133:
== Import git repository == You may also add group runners for your group or specific runners and configure them for your project.
Line 93: Line 135:
This is currently done by hand but Christopher Berg's wrote a handy [[http://www.df7cb.de/blog/2017/Salsa_batch_import.html|batch import script]] that you can use to import your projects semi-automatically. Configuration files and tools are maintained by the [[Teams/SalsaCI|SalsaCI team]]
Line 95: Line 137:
== Import non-git version control repository ==
Only git repositories are supported by the ''Salsa'' platform.
= Web page hosting =
Line 98: Line 139:
You may want to take a look at the [[Sprints/2017/Alioth/MeetingMinutes/VCS|reasons for not supporting other version control systems]] within ''Salsa''.

== Import mailing list ==
''Salsa'' does not offer any mailinglist features on its own (see [[Sprints/2017/Alioth/MeetingMinutes/Mailinglists|discussion]]). There are, however, discussions about migrating the old Alioth lists in [[Alioth/MailingListContinuation]].

Some mailing lists that were formerly hosted on Alioth may be eligible for being hosted on [[https://lists.debian.org|lists.debian.org]]. The lists eligible for migration must follow the requirements outlined on the [[https://www.debian.org/MailingLists/HOWTO_start_list|"How to ask a mailing list" guide]]. The process is also the same as outlined on the guide.

The following kind of lists are probably acceptable for [[https://lists.debian.org|lists.debian.org]]:
 * The list is expected to be useful, to have a purpose and an audience.
 * Public discussion or support lists are probably OK.
 * Commit or bug notifications lists are not OK. You should use the dedicated features of gitlab instead. If you're interested in a package's bug, you're expected to subscribe to it using the [[http://bugs.debian.org/|BTS]] features.

Short version: file a bug on the [[https://bugs.debian.org/lists.debian.org|pseudo-package lists.debian.org]] with the severity 'wishlist', with the following information:
 * List Name
 * Rationale (why do you need this list, stating that you had one on Alioth is not enough!)
 * Short Description (for display in list indices)
 * Long Description (targeted to people that need to decide if they want to join)
 * Category

Lists migrated from Alioth are expected to be open, that is:
 * Open Subscription Policy (no closed lists)
 * Open Post Policy (anybody can post)
 * Open Archive

If you do want the archive and/or the subscribers to be imported into your new mailing list, please:
 * on alioth, using your ssh access, run 'sudo /usr/local/bin/export-list <mailing_list_name>' to get gzipped tar archive (on stdout) containing:
  * mbox file of the archive
  * subscribers list in simple text file
 * import the resulting mbox file in your favorite e-mail reader and clean the spam,
 * attach the compressed archive and/or the list of subscribers to your request.
 
Also, please understand that the requirements and features for lists on lists.debian.org are not the same as for a mailing list on Alioth, and the listmaster might reject your request. Lists.debian.org is not supposed to replace all mailing lists and aliases on Alioth.


== Import members of a team ==
It is not possible to transfer the members of an Alioth team to ''Salsa''. You will need to ask the members of your team to join your team on ''Salsa'' individually.

== Host project web pages ==
Gitlab offer the "Gitlab Pages" feature, and it is enabled on Salsa both as '''`https://pages.debian.net/<namespace>/<project>`''' or '''`http://<namespace>.pages.debian.net/<project>`'''
Gitlab offer the "Gitlab Pages" feature, and it is enabled on Salsa as '''`https://<namespace>.pages.debian.net/<project>`'''
Line 140: Line 143:
See https://docs.gitlab.com/ce/user/project/pages/index.html for a detailed documentation and HOWTOs. See [[https://docs.gitlab.com/ce/user/project/pages/|the official documentation]] for details. Note that hosting pages on arbitrary domains — whilst [[https://docs.gitlab.com/ee/user/project/pages/getting_started_part_three.html|supported by upstream]] — is not supported on Salsa due to lack of bandwidth within [[Teams/DSA|DSA]] to support that feature (see [[https://rt.debian.org/Ticket/Display.html?id=7045|RT #7045]]).
Line 142: Line 145:
 * '''''Note:''' there is no SSL for <namespace>.pages.debian.net, since Let's Encrypt doesn't provide wildcard certificates yet.'' [[ChrisLamb]] has created a number of [[https://lamby.pages.debian.net/salsa-ribbons/||Github-esque "fork me on Salsa" image ribbons]] that you can add to your site.
Line 144: Line 147:
Should you want to access the pages with your own domain name and your own certificate, it is possible via ''''Settings > Pages > New Domain'''' in your project. {{{#!wiki note
https://<namespace>.pages.debian.net should work, thanks to Let's Encrypt new [[https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html|wildcard certificate support]].
}}}
Line 146: Line 151:
=== Quick start === == Quick start ==
Line 148: Line 153:
 1. On your project Home, use '''`Set up CI`''' button  1. On your project Home, use '''`Set up CI/CD`''' button. (If your project is empty, select '''`New file`''' instead.)
Line 151: Line 156:
  * '''''Note:''' To limit the load on Runners, we limit the actual runs on projects tagged with "pages". So you need to add it to your .gitlab-ci.yml: '' {{{
  tags:
    - pages
 1. Push something to the repository. You will see there is a CI Job pending
 1. Wait a few minutes for the job to run. When it's '''`Passed`''' you can see your pages at https://<namespace>.pages.debian.net/<project>/)

{{{#!wiki important
Even though we plan to support simple page generators like Jekyll or Hugo in the future, in most cases, you should content yourself with the `HTML` template, and generate the pages locally to push them afterward, in order to save the resources on the runner. Some templates might require commands not available on the server anyway.
Line 155: Line 162:
 1. Push something to the repository. You will see there is a CI Job pending
 1. Wait a few minutes for the job to run. When it's '''`Passed`''' you can see your pages at https://pages.debian.net/<namespace>/project (or http://<namespace>.pages.debian.net/<project>/)
Line 158: Line 163:
  * '''''Note:''' Even though we plan to support simple page generators like Jekyll or Hugo in the future, in most cases, you should content yourself with the `HTML` template, and generate the pages locally to push them afterward, in order to save the resources on the runner. Some templates might require commands not available on the server anyway.''
  * '''''Note 2: We mean that. Really.''' Be nice to the server. At some point in the future we hope to add some dedicated Runners servers - Sponsors welcome! ;).''
{{{#!wiki important
'''We mean that. Really.''' Be nice to the server. ;)
}}}
Line 161: Line 167:
'''important''': (at least for static pages deployment) your artifacts must be stored in a directory named `public/`; if they are currently in a different location, use the `script` section in `.gitlab-ci.yml` to create that dir and copy the content there.
Line 164: Line 171:

== Hints for previous users of Alioth ==

See [[Salsa/AliothMigration]].

= API Usage Best practises =

 * if you want to know if a project exists, access the project by name, authenticated, if you get a 404 then it doesn't exists.
 * do not search for getting an id. If you need the id, access the project by name and use path-encoding https://docs.gitlab.com/ee/api/#namespaced-path-encoding
 * do not request all projects in a group unless you really have. If you really have to get the list, for i.e. looping, use simple=true (https://docs.gitlab.com/ee/api/groups.html#list-a-group-s-projects).
 * Implement proper pagination, please do not just requests a few hundreds elements per page
 * set an `User-Agent` header with information about the project; don't make requests with generic user agent headers
 * if you use a lib, ensure the lib does implement the api properly
 * do not run extensive jobs too often
 * please consider to use vcswatch or other data gathering projects
 * do not regularly poll things
 * if in doubt, talk to us before you code and talk to us before you put your code into production

= SSH Host Keys =

When connecting to Salsa to fetch or push a Git repo for the first time, it is essential to verify host's `ssh` keys. The keys for Salsa have been published as SSHFP DNS records as well as in the Debian [[https://db.debian.org/debian_known_hosts|known_hosts]] file. This is a one time operation. From now on ssh will trust the keys in the local `known_hosts` file.

Salsa Documentation

Salsa is a collaborative development platform within Debian.

Support

In case you encounter any problems with Salsa, to get support you may want to join us:

... they may help you.

Users

Register an account at https://salsa.debian.org/users/sign_in#register-pane

Unused accounts for DD before May 2020

Before May 2020 all Debian Developers had accounts created for them using their Debian user name. Accounts that had never been used and never had a password set are deactivated. Those accounts can only be used after being activated properly. Please use any of the support channels. After being reactivated a new password can be set via the password reset.

Groups

Users and Group share the same namespace. To prevent clashes with usernames we enforce groups to a '-team' suffix, with the exception being the 'Debian' group, of which all Debian Developers are members.

To create a group, log in and go to the team registration page. There is also a link to it from the registration page: if you're not logged in yet, you will be asked to do so and be redirected afterwards.

Collaborative Maintenance: "Debian" group

The debian group is for CollaborativeMaintenance (the old collab-maint on Alioth). The group is accessible to all Debian developers by default, who are automatically added with Maintainer access levels. Direct commits to repositories in the Debian group by any Debian developer are implicitly welcome. No pre-commit coordination (e.g. merge-request or mail) is expected.

External users (non-Debian Developers) need to request write access to repositories inside debian group from a Debian developer they know, or their sponsor. Access should be granted to single projects and not the whole Debian group.

Projects under debian group cannot be transferred or deleted by anyone except Salsa administrators. In case you need to delete a project or have it transferred out into other namespaces, please contact Salsa administrators via support channel. See #Support section for contact information.

Canonical URLs

The canonical URLs for use in debian/control are:

Vcs-Browser: https://salsa.debian.org/<user-or-team>/<package>
Vcs-Git: https://salsa.debian.org/<user-or-team>/<package>.git

where <user-or-team> is

  • alice for DD Alice Developer <alice@debian.org>

  • bob-guest for non-DD Bob Coder <bobc@example.com>

  • debian for the Debian/ namespace (the equivalent to collab-maint on alioth)

  • foobar-team for the Foobar Packaging Team

You can instruct git to rewrite URLs into pushable ssh URLs:

git config --global url."git@salsa.debian.org:".pushInsteadOf "https://salsa.debian.org/"

This will work for all salsa repositories checked out via https:// URLs in the present, past or future.

You can also use a shortcut for all Salsa repositories:

git config --global url."git@salsa.debian.org:".insteadOf salsa:

This way you can use a shorter commandline like this:

git clone salsa:debian/htop

Projects and Repositories

In GitLab, a project is one Git repository, and each Git repository needs a project. You can create several projects in the same namespace (user or group).

Email notifications

Every project owner can enable "email on push". To do so, go the project settings → integrations → project services → emails on push and configure the list of recipients you want to send emails to.

In particular, to forward emails to tracker.debian.org, you should add dispatch@tracker.debian.org to the recipients (or, if for some not good reason the project name is not the name of the source package, dispatch+${package}_vcs@tracker.debian.org (where ${package} is the source package name)).

Take into account that the current implementation sends a single mail per push with all commits lumped together, which makes it rather useless for any post-review workflow. This is tracked upstream at https://gitlab.com/gitlab-org/gitlab-ce/issues/19901.

Information on manipulating bugs by email

GitLab has quite a lot of text commands aka "quick actions" which can be used when interacting with GitLab via email. Most things can be done via email by replying to the email notifications. There are special email addresses for creating new merge requests and issues via email.

IRC notifications

Irker

Alexander Wirt is sponsoring an Irker instance. It can be enabled with the irker integration available under Settings/Integrations/Irker. Please use the following settings:

Under recipients add a newline separated list of recipients/channels. If your channel is protected by a key, use the syntax channel-name?key=whatever omitting the leading # sign (failing to omit the # sign will result in Irker joining a channel literally named #channel-name?key=whatever and doing so making your channel key public as it is visible in the bot's /whois.
Currently only Push events are supported.

KGB

KGB supports gitlab webhooks. To use the kgb instances provided by dam, tincho, and gregoa from salsa, set a webhook in your project:

http://kgb.debian.net:9418/webhook/?channel=<irc-channel-name-without-#>

For details, additional parameters, and helper scripts see the KGB documentation at https://salsa.debian.org/kgb-team/kgb/wikis/usage

Dealing with Debian BTS from commit messages

We run a webhook receiver that can modify the Debian BTS based on commit messages. If you want to use it, go to your project, "Settings → Webhooks" and add a URL (see below), then click save. No secret token is needed, and currently it only deals with push events.

Possible URLs:

https://webhook.salsa.debian.org/close/SOURCENAME
https://webhook.salsa.debian.org/tagpending/SOURCENAME

Replace SOURCENAME with the name of your source package and chose either close or tag pending, depending on the action you want to get.

You can ignore a branch or pattern, say wip/*, by providing the ignored-namespaces parameter. See the README in code for more details.

Code: https://salsa.debian.org/salsa/salsa-webhook.

Deployment keys

For automating task FIXME

Runners

Salsa provides shared runners for all projects to use. All jobs without more specific tags run within a privileged Docker container on one-time-use VM. Outbound connections from the shared runner VMs are limited to http & https.

You may also add group runners for your group or specific runners and configure them for your project.

Configuration files and tools are maintained by the SalsaCI team

Web page hosting

Gitlab offer the "Gitlab Pages" feature, and it is enabled on Salsa as https://<namespace>.pages.debian.net/<project>

This feature makes use of Gitlab-CI to generate static pages in a public directory, on every push.

See the official documentation for details. Note that hosting pages on arbitrary domains — whilst supported by upstream — is not supported on Salsa due to lack of bandwidth within DSA to support that feature (see RT #7045).

ChrisLamb has created a number of https://lamby.pages.debian.net/salsa-ribbons/ that you can add to your site.

https://<namespace>.pages.debian.net should work, thanks to Let's Encrypt new wildcard certificate support.

Quick start

  1. On your project Home, use Set up CI/CD button. (If your project is empty, select New file instead.)

  2. Choose a Gitlab CI Yaml template (Pages templates are at the end)

  3. Edit the template to suit your needs and save it
  4. Push something to the repository. You will see there is a CI Job pending
  5. Wait a few minutes for the job to run. When it's Passed you can see your pages at https://<namespace>.pages.debian.net/<project>/)

Even though we plan to support simple page generators like Jekyll or Hugo in the future, in most cases, you should content yourself with the HTML template, and generate the pages locally to push them afterward, in order to save the resources on the runner. Some templates might require commands not available on the server anyway.

We mean that. Really. Be nice to the server. ;)

important: (at least for static pages deployment) your artifacts must be stored in a directory named public/; if they are currently in a different location, use the script section in .gitlab-ci.yml to create that dir and copy the content there.

Getting Help

See the Salsa maintenance description.

Hints for previous users of Alioth

See Salsa/AliothMigration.

API Usage Best practises

  • if you want to know if a project exists, access the project by name, authenticated, if you get a 404 then it doesn't exists.
  • do not search for getting an id. If you need the id, access the project by name and use path-encoding https://docs.gitlab.com/ee/api/#namespaced-path-encoding

  • do not request all projects in a group unless you really have. If you really have to get the list, for i.e. looping, use simple=true (https://docs.gitlab.com/ee/api/groups.html#list-a-group-s-projects).

  • Implement proper pagination, please do not just requests a few hundreds elements per page
  • set an User-Agent header with information about the project; don't make requests with generic user agent headers

  • if you use a lib, ensure the lib does implement the api properly
  • do not run extensive jobs too often
  • please consider to use vcswatch or other data gathering projects
  • do not regularly poll things
  • if in doubt, talk to us before you code and talk to us before you put your code into production

SSH Host Keys

When connecting to Salsa to fetch or push a Git repo for the first time, it is essential to verify host's ssh keys. The keys for Salsa have been published as SSHFP DNS records as well as in the Debian known_hosts file. This is a one time operation. From now on ssh will trust the keys in the local known_hosts file.