[06:37:44] <federico3>	 Amir1: can I start the schema change on s2 in codfw?
[09:51:14] <Amir1>	 federico3: go for it
[09:51:26] <federico3>	 ok, starting it
[12:06:38] <federico3>	 Emperor: I'm trying to find documentation for the overall process on where deb packages are built and how they are fetched into the archive; after a while I found modules/aptrepo/files/gitlab_package_puller.py in the Puppet repo but I'm not seeing docs linked to/from it and I suspect the author (Eoghan Gaffney) might have left.
[12:06:38] <federico3>	 _joe_ said that that part of the process is undocumented. Do you know about any docs around it?
[12:37:46] <Emperor>	 federico3: I thought I had documented it (maybe not!), but the short version is - you need your package to be built on a trusted runner, then it'll get pulled into the staging repo.
[12:38:20] <Emperor>	 to get it built on a trusted runner, it needs to be in the relevant ACL, and you need to set the USE_TRUSTED envvar in the build
[12:42:11] <federico3>	 I found where the puller is running and where it's logging
[12:42:42] <Emperor>	 ACL https://gitlab.wikimedia.org/repos/releng/gitlab-trusted-runner/-/blob/main/projects.json
[12:42:45] <federico3>	 in this specific case I'm trying to walk the chain backwards: I know which package needs work but I don't know where it's hosted
[12:43:43] <Emperor>	 what's the package?
[12:44:04] <federico3>	 envoyproxy (for https://phabricator.wikimedia.org/T402668 ) 
[12:44:39] <federico3>	 but I'm looking for ways to understand the process end to end
[12:46:20] <Emperor>	 so envoyproxy is not being built on a trusted runner (it's not in the ACL)
[12:48:32] <Emperor>	 there is a component/ on apt.wm.org - https://apt.wikimedia.org/wikimedia/pool/component/envoy-future/e/envoyproxy/
[12:49:08] <Emperor>	 so I think it was built from https://gerrit.wikimedia.org/g/operations/debs/envoyproxy
[12:49:47] <Emperor>	 but you may want to talk to the serviceops, who I think are the team who own that
[13:04:11] <federico3>	 I was able to spot the debs by running find on the host but I was looking for a way to give visibility to the process and find the source repo URL reliably
[13:09:05] <Emperor>	 there isn't a general answer to that question
[13:09:35] <Emperor>	 for ones built using wmf-debci you can look in the ACL list of trusted-runner which will tell you the repo
[13:09:54] <Emperor>	 but there is a variety of ways of building & hosting packages at WMF
[13:18:10] <federico3>	 ok, thank you for the details
[13:18:57] <federico3>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1182593 Amir1 I sent out this an the related CR when you have time
[14:10:10] <Amir1>	 Thanks. I will take a look