golang.org/x/build@v0.0.0-20240506185731-218518f32b70/cmd/securitybot/README.md

golang.org/x/build@v0.0.0-20240506185731-218518f32b70/cmd/securitybot/README.md (about)

     1  # golang.org/x/build/cmd/securitybot
     2  
     3  securitybot provides TryBot-like functionality for the internal private Go
     4  repository that is used for developing patches for security releases.
     5  
     6  securitybot is not nearly as fully featured as the public TryBot functionality,
     7  and is meant to be a best effort attempt at providing basic testing for security
     8  patches.
     9  
    10  securitybot operates in a loop, searching the private Gerrit instance for CLs
    11  which have the `Run-TryBot+1` label, and are lacking either the
    12  `TryBot-Result+1` or `TryBot-Result-1` labels. It then executes the tests for
    13  each CL it finds serially. Since there is a low volume of security patches, it
    14  is not necessary to run tests for each CL in parallel. securitybot is not
    15  intended to be able to run concurrently.
    16  
    17  Tests for each CL are executed by creating buildlets for each configured builder
    18  (currently just those that represent the first class ports) and executing the
    19  `all.{bash,bat}` script. Logs are stored in a GCS bucket, and updated every 5s
    20  while the tests are running.
    21  
    22  ## Deploying
    23  
    24  Deploying a new version of `securitybot` can be done as follows:
    25  
    26  ```
    27  docker build -f Dockerfile -t golang/security-trybots ../..
    28  docker tag golang/security-trybots gcr.io/go-security-trybots/security-trybots
    29  docker push gcr.io/go-security-trybots/security-trybots
    30  kubectl rollout restart -f deployment.yaml
    31  ```
    32  
    33  ## Setting up cluster
    34  
    35  The cluster and service accounts have already been setup and configured, but in
    36  case this needs to be done again, the following commands were used. The second
    37  command binds the Kuberenetes service account (defined in `deployment.yaml`) to
    38  the GCP service account.
    39  
    40  ```
    41  gcloud container \
    42    --project "go-security-trybots" \
    43    clusters create-auto "trybots" \
    44    --region "us-central1" \
    45    --release-channel "regular" \
    46    --network "projects/go-security-trybots/global/networks/default" \
    47    --subnetwork "projects/go-security-trybots/regions/us-central1/subnetworks/default" \
    48    --cluster-ipv4-cidr "/17" \
    49    --services-ipv4-cidr "/22"
    50  
    51  gcloud iam service-accounts add-iam-policy-binding \
    52    --role roles/iam.workloadIdentityUser \
    53    --member "serviceAccount:go-security-trybots.svc.id.goog[default/security-trybots]" \
    54    security-trybots@go-security-trybots.iam.gserviceaccount.com
    55  ```