Add way to ignore installations based on the owner of the repository

[MagicRB]

Say you're running a GitHub App and want to run it in multiple organizations, currently there is no way to restrict it to just 2 organizations but not any organization. GitHub doesn't provide this level of control over applications. A similar problem exists on Forgejo, if you define create a buildbot user, any repository which qualifies (i.e. has a matching topic and the buildbot user is an admin for it) will be automatically loaded as a project. This isn't a problem for private or restricted signup Forgejo instances, but for public ones like https://codeberg.org one may end up running other people's CI, which in the best case means an increased electricity bill, or in the worst case a compromised system.

[zowoq]

It would be useful for buildbot.nix-community.org if the restriction also worked at the repo level, e.g.

diff --git a/modules/nixos/buildbot.nix b/modules/nixos/buildbot.nix
--- a/modules/nixos/buildbot.nix
+++ b/modules/nixos/buildbot.nix
@@ -64,6 +64,14 @@ in
       oauthSecretFile = config.sops.secrets.buildbot-github-oauth-secret.path;
       oauthId = "Iv23liN9rjd1Bm3bvYKZ";
       topic = "nix-community-buildbot";
+      org_allowlist = [
+        "nix-community"
+      ];
+      repo_allowlist = [
+        "astro/microvm.nix"
+        "LnL7/nix-darwin"
+      ];
     };
   };

[MagicRB]

okay, will refactor!

[zowoq]

Thanks.

Not sure if it would make the implementation easier or not but repo_allowlist wouldn't need to handle the self service topic.

[MagicRB]

Ah so if repo_allowlist is set, ignore topic? I don't think it makes a difference in implementation, both are trivial to do. So whatever works better for users

[zowoq]

What you have currently is fine, probably simpler for users to always respect the topic if set.