tor's .gitlab-ci.yml is doing mirroring? why?
Currently in master we have the following stanza in our .gitlab-ci.yml (from #22891 (moved)):
update:
script:
- "apt-get install -y --fix-missing git openssh-client"
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
- ssh-add <("$DEPLOY_KEY")
# For Docker builds disable host key checking. Be aware that by adding that
# you are suspectible to man-in-the-middle attacks.
# WARNING: Use this only with the Docker executor, if you use it with shell
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# In order to properly check the server's host key, assuming you created the
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
# instead.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
- echo "merging from torgit"
- git config --global user.email "labadmin@oniongit.eu"
- git config --global user.name "gitadmin"
- "mkdir tor"
- "cd tor"
- git clone --bare https://git.torproject.org/tor.git
- git push --mirror git@oniongit.eu:network/tor.git
Why are we doing this? Can we put a cronjob on the oniongit.eu server instead? It's pretty weird and frankly unexpected that my personal fork of tor at https://gitlab.com/isis/tor is cloning the official tor repo and then trying to mirror it to oniongit.eu. It also has a bunch of other problems:
-
The
ssh-add
line is broken, causing CI to fail because it sits there forever waiting for a passphrase.I was originally going to patch the
ssh-add
line to instead be[[ -n "${DEPLOY_KEY}" -a -r "$DEPLOY_KEY" ]] && ssh-add "$DEPLOY_KEY" <<<""
but if I fix that, then all the rest of this script would run, so I'm rather glad it's failing on a more innocuous command. -
Even if the
ssh-add
line weren't broken, this whole thing fails unless it's being run from a fork on oniongit.eu. -
Why is it disabling SSH hostkey checking?!
-
Why is it making the
~/.ssh
directory twice? -
Why is it assuming that environment variables are set? e.g.
$FOO
versus${FOO}
or bettertest -n ${FOO}
-
Why is it unconditionally setting (global!) git config options? (I assume to disable the warning that git spits out when you don't have
$GIT_{AUTHOR,COMMITTER}_{NAME,EMAIL}
set, but why would a CI config set them globally instead of just setting the correct environment variables?) -
Why are the mirror URLs hardcoded?
-
Why is the git username and email hardcoded?
-
Why is any of this even running when I push to https://gitlab.com/isis/tor?
-
Why is any of this even running when I push anywhere?
-
Why is it unconditionally starting an ssh-agent?
-
Why is using the existence of a (deprecated!)
/.dockerenv
file to determine if we're in a docker container? -
Why is it assuming we're in the correct docker container, when lots of things, especially lots of CI systems, use docker?
I'm sorry if this is all necessary and I'm just not understanding the setup, but it's all just extremely unexpected behaviour from what is supposed to be a CI config file. Further, it's not even doing the same testing as our .travis.yml, but I'll make another ticket for that issue.