Conda-forge.github.io: Only build on PRs

A potential variant of this would be to have a label per PR. Right before pushing new packages to the label, remove the contents of the label, then push up the new packages.

This would allow users to access the label to get the hot off the CI build for local testing. The label would be very clean as it only has one package set in it at any time and no mixing with other packages (see the rc label).

A potential variant of this would be to have a label per PR. Right before pushing new packages to the label, remove the contents of the label, then push up the new packages.

While this seems to be very appealing I think this is a security nightmare since I can trick the tests in my PR to get everything passed - and so everything will be uploaded to anaconda.org. Even if it's under a hidden/secret label it's uploaded and in the wild. However, we could do this for the bots and trusted users only.

The staging area sounds cool!

This is a good idea. Though it's worth noting it duplicates issue ( https://github.com/conda-forge/conda-forge.github.io/issues/124 ). Should we consolidate these somehow?

cc @kmuehlbauer

@bgruening your point is well taken, and I think having "trusted sources" could be a good theme for this and a few other issues floating around.

On the other hand if people actively download packages from a channel that they needed to a) opt in to and b) we very actively say not to touch unless they know exactly what they are doing. I imagine this ethos is a bit like the linux super unstable repos (looking at you arch testing repo). I think we need to be active in telling people that the only guarantee that we offer for that channel is that the builds passed conda-build nothing more.

Should add (failed to note this in my previous comment) this proposal IMHO addresses the provenance concerns raised in the older issue. Namely by not relying on CI cache, but just uploading the package and tweaking the label. This makes it very similar to issue ( https://github.com/conda-forge/conda-forge.github.io/issues/204 ), which tries to do the same thing as this issue, but for different reasons.

cc @astrofrog

I really like this idea, but perhaps we can help with both https://github.com/conda-forge/conda-forge.github.io/issues/647#issuecomment-426818182 and some other potential security concerns by uploading to a different channel entirely, e.g. conda-forge-staging? That would make the "finalization" process a little more complicated since it's not just a relabel, but it seems that if PRs can upload to a non-main label then the PR could easily be maliciously changed to upload to main as well.

I like the idea of having a separate account for this. One issue is how we would manage the moving from one channel to the other. We need a way to specify which artifacts to copy over, otherwise we may run into an issue where an attacker uploads a more recent artifact and then we copy that one over than the correct one.

That's a good point. We might need the build process to output a hash of the produced package file(s) in some non-fakeable place, e.g. in the build log, and then check those when master goes to copy the package over.

Yea, the build log might be the only non-fakeable place, since all other places require keys which could be spoofed. Idk if we can access the build logs with a nice API though.

Yeah I wonder to what extent this overlaps with CFEP 13/cf-staging work.

cc @beckermr

You should consider the cf-staging staging channel an implementation detail of CFEP-13 and not rely on it for anything.