TL;DR

All the Gerrit incoming changes and stable branches are built on the Gerrit CI.

The gerrit-ci-scripts project contains all the YAML files definitions associated with the Jenkins Job Builder definition of the continuous integration Jobs.

Gerrit maintainers are responsible for making sure that the CI jobs are up-to-date by triggering the Gerrit-CI scripts job upon new commits to the master branch of the gerrit-ci-scripts project.

Signing up as maintainer on Gerrit-CI

The Gerrit-CI controller allows the Gerrit maintainers to sign-in using their GitHub accounts and have their username defined in the list of Users.

Note
 Because of recent security issues found on Jenkins and future potential risks, only the Gerrit maintainers and contributors are allowed to access the Jenkins UI and sign-up for creating an account. sign-up for creating an account.

Once the sign-up phase is complete, the maintainer needs to grant himself permissions on Jenkins by creating a change to add their names into the Jenkins config.xml in the permissions XML Section.

Applying changes to Jenkins on Gerrit-CI

The Jenkins setup Gerrit-CI adopts a Zero-Trust-Architecture and therefore assumes that any access could be potentially malicious.

  • To limit the impact of future attacks or zero-days vulnerabilities the controller must not have any meaningful secret or key which could be stolen.

  • It must not be possible for anyone to change anything on the Gerrit-CI infrastructure without authenticating with their credentials.

  • No credentials should be stored anywhere on the Jenkins controller.

  • Everything should be coming from the gerrit-ci-scripts project and the infrastructure must be immutable and ephemeral.

Gerrit maintainers can apply the latest changes on the Jenkins controller on Gerrit-CI by performing the following actions: