[00:03:47] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10Dzahn) I opened a ticket with upstream. (#89323) [00:22:25] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10dduvall) >>! In T322344#8384985, @Dzahn wrote: > I opened a ticket with upstream. (#89323) Can you provide a link ple... [00:38:28] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10dduvall) Would it be ok to add `GetInRelease: no` to the reprepro updates file? According to the manpage: ` GetInRele... [01:14:56] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10Dzahn) @dduvall The way you describe above works but it seems to me that is simply because it skips the "signed by" li... [01:23:58] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10Dzahn) I have now succesfully installed the .deb locally (with signing) (have to do it with apt-get and not apt or it... [01:24:11] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10dduvall) >>! In T322344#8385115, @Dzahn wrote: > @dduvall The way you describe above works but it seems to me that is... [01:24:49] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10dduvall) >>! In T322344#8385118, @Dzahn wrote: > @dduvall It's available for bullseye now: > > ` > [apt1001:/tmp] $ s... [01:38:57] 10GitLab (CI & Job Runners), 10serviceops-collab, 10Release-Engineering-Team (Priority Backlog 📥): Move cloud runner CI jobs to trusted runners - https://phabricator.wikimedia.org/T322344 (10Dzahn) >>! In T322344#8385119, @dduvall wrote: > I don't think it needs the `signed-by` parameter if the key is under... [13:53:09] Hi. I have a gitlab CI pipeline based atop docker-registry.wikimedia.org/releng/maven-java8:1.0.0 that fails with: [13:53:12] fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.wikimedia.org/repos/data-engineering/mediawiki-stream-enrichment.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none [13:53:45] would anyone here have a pointer for what to do about cert validation? [13:54:16] FWIW I did not encounter this issue with maven-java8:1.0.0-s1 [13:54:41] Full log at https://gitlab.wikimedia.org/repos/data-engineering/mediawiki-stream-enrichment/-/jobs/28676 [16:26:21] gmodena: When I run the docker-registry.wikimedia.org/releng/maven-java8:1.0.0 image I ultimately get `/utils/ci-src-setup.sh: line 11: ZUUL_URL: unbound variable`. I'm curious to know how you avoided that part. [16:28:48] dancy I did set it in the variable block of gitlab-ci.yml https://gitlab.wikimedia.org/repos/data-engineering/mediawiki-stream-enrichment/-/blob/fix-ci-variables/.gitlab-ci.yml#L40 [16:28:55] <_joe_> --entrypoint /bin/bash :P [16:29:12] haha thanks Joe [16:29:21] thx gmodena.. looking [16:29:36] I mentally scrolled by that list of variables. :-P [16:29:55] dancy thanks :) [16:33:49] gmodena: I think the solution is to use the `-s1` image, which is the newest. Presumably it has a more up-to-date list of CA certs which is why it works and the old one doesn't. [16:35:05] dancy ack. I'll stick to -s1 [16:35:14] thanks for looking into it [16:35:18] no problem