| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: Id3c767d04411ac7551e7016a37136a77e4ae8118
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
(cherry picked from commit 1be1d6ff45f18c978fd21e5c7d437d0a1351d7d8)
|
|
|
|
|
| |
Change-Id: I35c47ba60c08e8d5d1f767672b5e83b7d29fea1b
(cherry picked from commit 1346eab23259f8dc4adec9cb098e2f818c9cf79d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't know whether or not all plugins have test rules, so running a
generic command:
$ bazelisk test plugins/{name}/...
can lead to no tests found outcome, in which case Bazel will return exit
code 4 that needs to be checked to differentiate from test failure (exit
code 1). To avoid those checks, pass the virtual test that will always
succeed:
$ bazelisk test //tools/bzl:always_pass_test plugins/{name}/...
See also this upstream issue for this suggested workaround: [1].
[1] https://github.com/bazelbuild/bazel/issues/11465
Change-Id: Ideab64674482400cc48fad55f7ed9f8085909b84
(cherry picked from commit d69773ceb5c84cfcf13749b2f555bf92d22e6f71)
(cherry picked from commit 938db887d803889e34a1adfd762c259eadcdd6a3)
|
|
|
|
| |
Change-Id: I3aac9a69297982709b213284d919655848c6132a
|
|
|
|
| |
Change-Id: Idf4299b5e754e21c17314735981baa851061a626
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an account is disabled by the Gerrit admin through the set-account
command, it should not be enabled to perform any further authentication
or other actions.
Allowing a disabled account to continue operating in Gerrit until his
session expiration would be a security risk.
Bug: Issue 12717
Change-Id: I4cbad70bb3c83a1916f0d6939c5ccbbe7c734619
|
|
|
|
|
| |
Change-Id: I1e3d7ceaf7908f3b53a5b11a257aa752eaec066e
(cherry picked from commit 9c7428264769e9c211c0cf23a2d6ec9406be791b)
|
|\
| |
| |
| |
| |
| |
| | |
* stable-2.13:
Fix Postgresql JDBC driver leaking memory
Change-Id: I4e35aaa2908788c8fbe22eaf07aba9355b52f67b
|
| |\
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-2.12:
Fix Postgresql JDBC driver leaking memory
Change-Id: I34530c9736f471d67ac761cb591443202b597e5a
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.11:
Fix Postgresql JDBC driver leaking memory
Change-Id: Ie4c0ff60f098fbc606aba56a027ff8a0884e3a5d
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Older versions of Postgresql JDBC driver rely on finalize() methods in
order to avoid leaking unclosed database objects. Given finalize
methods are unpredictable (no guarantee about prompt execution, if at
all), in some high load environments this could lead to a memory leak
with millions of JDBC objects pending finalization.
Newer versions of the Postgresql JDBC driver removed the use of finalize
methods to avoid this kind of issues.
Also provides an implementation of setQueryTimeout.
Bug: Issue 4848
Change-Id: Ia143f1df1d8e41686362fd76b9bc82e0046f9894
(cherry picked from commit 80476a51df8361814e9cd5d91ceb60e8bf41cae5)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This option was flipped in context of:[1] and is now enabled per
default. When running gerrit build with remote execution strategy,
this warning is issued:
WARNING: Option 'tls_enabled' is deprecated: No-op. See #8061 \
for details.
[1] https://github.com/bazelbuild/bazel/issues/8061
Change-Id: I6d77f08e483157f955e82abe0bae848075a7040e
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Bazel 2.0 is a new major version of Bazel and brings some important flag
flips that did not make it into Bazel 1.0.
In particular Bazel's Debian package and the binary installer now
include an improved wrapper that understands <WORKSPACE>/.bazelversion
files and the $USE_BAZEL_VERSION environment variable. This is similar
to what Bazelisk offers, except that it works offline and integrates
with apt-get.
Change-Id: Ia0bbd19649880a6803f69b85fad0283b52a5721f
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Bug: Issue 12171
Change-Id: Ifae9462251bea0b3fd683452f16572572d4a7cea
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Gerrit v2.14 is EOL and we should not build this branch
anymore on the CI.
Change-Id: I3994c1147c6e7e52cfc3efbc3fb7c320b8f3418d
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The verification pipeline was not properly reporting the results of
builds that were suspect to being flaky. This happened, because the
build did not save the results in a variable, if the propagate option
was used, which had to be done for the pipeline plugin's retry command
to work.
Instead of using the retry-command provided by the pipeline plugin,
the Jenkinsfile implements this behaviour manually.
Bug: Issue 11927
Change-Id: I419a20f69cabc4c54d7f57fd04ad354563eafd71
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Bug: Issue 11916
Change-Id: I0d273f8536c3b2ee10f8a6f938bc8dc3374ce0a5
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When retriggering flaky builds, do not use the non-CPS method Map.remove()
and instead create a new Map.
Bug: Issue 11876
Change-Id: I383a2351ad907acd19d21c459a0fd660e8abe028
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Change-Id: I582aca7d9ba8a8b17e6d54580490f242dfe0926d
(cherry picked from commit e89717db20a364b6f8ad9d3614280a32ef70b844)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To be compatible with the shell script, ignore "not a git repository
error" and report "unknown" version.
Change-Id: Ifa5dafea63743e6e09958f4283231c3eb7e45afe
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This allows to seamlessly build Gerrit on different operating systems.
See also discussions in: [1], [2].
[1] https://github.com/bazelbuild/bazel/issues/5958
[2] https://github.com/bazelbuild/bazel/issues/10151
Change-Id: I7738a23c08f4890a2010182587b64a2979256ad4
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: I125c1b6b575f4a19c42bd036c609e7c666d5742e
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
New Bazel release upgraded java_tools to javac11-v6.1, so that we don't
need to consume a custom version any more.
Change-Id: I749358f27358093802d7d250f3e3395f0425edbd
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The sorting of messages Jenkins would send back after verifying
a change did not work anymore as it was implemented in the workflow script.
This change removes the sorting of the messages.
Change-Id: I9cb14308ed354c31fae08e3c7190a7f886f242bf
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The string formatting in the Jenkinsfile during the post of the
checks was broken. Groovy did not accept the operator in a hanging
line.
Change-Id: Ica7e6e9dedde31ca90888e4288975f4a1e6e7a07
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: I3e44fdb39487b81cfd853dfbba10a7990bdc381f
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: Iae80a5faeb0973a02564a8c8db9ae1a7b589d236
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The response code returned on success was 200, but the job described
in the Jenkinsfile expected 201. Now the job correctly expects 200.
Change-Id: I7f22484d98f399fa8dbebec1bdc73926bf8e4040
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The verification pipeline described in the Jenkinsfile was trying to
post checks without authentication. This led to a returned 401 status.
Change-Id: Ic3bf661373fe7a8b51416d900690c105c10987b3
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
So far the job for verifying changes in the `gerrit`-project was managed
in the repository of the CI itself. These jobs were still using the by
now deprecated workflow type.
This change adds a Jenkinsfile to this project, which describes the build
and test workflow to be executed by the CI. The job will be executed by a
multibranch pipeline in the CI.
Note, that the job described in the Jenkinsfile for now just starts
other jobs that will verify and check the code style of the change as it
was done so far in the `Gerrit-verifier-change`-job. It is planned to
change that in the future.
Notable changes to the `Gerrit-verifier-change`-job are:
- The job will not check on which branch it runs. The Jenkinsfiles present
in the different branches will have to contain the branch-specific
code.
- In pipelines Jenkins is very strict in which methods are allowed to be
executed, since code can easily be added to a Jenkinsfile, which could
execute malicious commands on the CI. To avoid to have to whitelist such
methods in general, the code was adapted to only use allowed methods.
- The job is now triggered by the `verifier-trigger`-job in the CI.
Change-Id: I4d9ac3ebfd342243c6b7bf36186567e1b5175a4f
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
api.sh should prefer bazelisk as first choice for running
bazel, falling back to the current bazel binary.
Change-Id: I047112b81ad90d2f6c00c6592ba856f2a7108b43
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I88469233bc3c89809b2146fd56b73852f8ddb885
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In bazel 0.25 the target directory was changed from bazel-genfiles
to bazel-bin and bazel-genfiles was symlinked to bazel-bin.
In bazel 1.0 the symlink no longer gets created, and this causes the
./tools/maven/api.sh script to fail on a clean workspace because it
still refers to the old location:
./tools/maven/api.sh: line 66:
./bazel-genfiles/tools/maven/api_install.sh: No such file or directory
Fix api.sh to use bazel-bin, and also update dev-build-plugin.txt to
refer to bazel-bin.
Note that some documentation was previously updated in I9521cd7e5.
Bug: Issue 11757
Change-Id: I21f204d44ac78559f51ad2e62b085240170d83a7
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We don't intend to release 2.14.21; this change is only so that
building and deploying the API and WAR locally doesn't overwrite
the officially released 2.14.20 versions.
Change-Id: Ib893db7e7af6ba1a92a6d3d66fdb248463541756
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This upgrade of java_tools is needed to remove Java 7 compatibility mode
for java_proto_library rules. This was done in this CL: [1], that is
included in java_tools release 6.0.
[1] https://github.com/bazelbuild/bazel/pull/9450
Bug: Issue 11102
Change-Id: Ic0043544d238ee5cc2dcaf67ff1db9d8a5397bfa
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The latest version removed Java 7 compatibility mode [1] for
protobuf_java rule.
Note that this above fix is only related to the building protobuf_java
rule itself, and is not related to the building of java_proto_library,
that is also affected, but for another reason: default java toolchain
in currently used java_tools distribution is also targeting Java
language level 7 for proto rules. Luckily my PR was accepted here and
Java 7 compatibility mode was removed. However, to take effect a new
java_tools version must be released and Bazel must be updated to point
to it. This will be done in the follow-up change.
[1] https://github.com/bazelbuild/rules_closure/pull/432
Bug: Issue 11102
Change-Id: I0860772dbf78a397f1f8f78f17eb8dcec4ac07c0
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Since [1] Bazel added support for .bazelignore, allowing to specify
directories that should be ignored. We still preserve the exclusion of
BUILD files in generated .classpath file to avoid Eclipse warnings in
the form:
The resource is a duplicate of java/BUILD \
and was not copied to the output folder
[1] https://github.com/bazelbuild/bazel/issues/4888
Change-Id: I8dfd9b5701dfcc85fd51f626af448d0306b02857
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: Ib7cb505c55c24993c092fd1e38163c73ca741565
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Support for Remote Bazel Execution was added in this change:
Ia18e5fd55f8. However, the import statement in .bazelrc:
import tools/remote-bazelrc
missed to prefix the tools directory with %workspace% prefix and
thus broke running the build from non root-workspace directory.
Change-Id: I85673659138e23d25eaecf40606d57706fe9f6e1
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The latest version updates protobuf version to 3.10.0: [1].
[1] https://github.com/bazelbuild/rules_closure/pull/413
Change-Id: Ib0aecd23a95f8834f3d06edd66af76a475d0ebb5
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
rules_python is implicitly loaded by rules_closure, so it doesn't need
to be explicitly loaded.
Change-Id: I1a3a7ee9443f901d245b7c8ed55ee03ec11e6c49
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
rules_proto is implicitly loaded by rules_closure, so it doesn't
need to be explicitly loaded.
Change-Id: I163b871632a4c5ff3914849b6127993b9c9288aa
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It was changed in I36192c9465d but this part of that change can be
reverted, after rules_java is loaded in WORKSPACE file through the
rules_closure repository. That is why the load of codemirror:cm.bzl
can only be included after rules_closure repository is loaded.
Change-Id: I0f6769cd59bb9da0a96929a51756d4c0972ae1ca
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: Id0629880af427bfa8641f77a611d9082547714e0
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
'--experimental_strict_action_env' was a Bazel 0.20.0 option which got
renamed to '--incompatible_strict_action_env' and was planned to be the
default as of 0.21.0 [1]. However, this planned flip still hasn't
happened for at least the baseline of 1.0.0 (as of rc3), so we can't
remove it as of now [2].
In general, we should try to avoid having --incompatible_* or
--experimental_* flags in the bazelrc, as per explanation in Issue 11122
[3] as well as on the 'Backward Compatibility' page of Bazel [4]:
> Users should never run their production builds with --experimental_*
> or --incompatible_* flags.
However, for this case we have a compelling reason to have
'--incompatible_strict_action_env'.
[1]: https://github.com/bazelbuild/bazel/issues/6648
[2]: https://github.com/bazelbuild/bazel/issues/7026
[3]: https://bugs.chromium.org/p/gerrit/issues/detail?id=11122
[4]: https://docs.bazel.build/versions/0.29.1/backward-compatibility.html
Change-Id: Ie78708ffaeb1bfe9ebceb924939833f7c30eaeaf
|
|\ \ \ \ \
| |/ / / /
|/| | | |
| | | | |
| | | | |
| | | | | |
* changes:
Bazel: Bump rules_closure to 3.10.0-rc1
Bazel: Remove duplicate bazel_toolchains fetching
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The new rules_closure version was adapted to fixes needed for
--incompatible_load_{java|proto|python}_rules_from_bzl option.
Change-Id: I82fc3d65fba40b8f966ca458dbfb93ff7068aafa
|