Closed Bug 1415868 Opened 7 years ago Closed 6 years ago

Use hooks for actions

Categories

(Taskcluster :: Services, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: garndt, Assigned: dustin)

References

(Blocks 2 open bugs, )

Details

Attachments

(9 files, 2 obsolete files)

(deleted), text/plain
Details
(deleted), text/x-review-board-request
jonasfj
: review+
tomprince
: review+
Details
(deleted), text/x-review-board-request
tomprince
: review+
jonasfj
: review+
Details
(deleted), text/x-review-board-request
jonasfj
: review+
tomprince
: review+
Details
(deleted), text/x-review-board-request
jonasfj
: review+
tomprince
: review+
Details
(deleted), text/x-github-pull-request
Details
(deleted), text/x-review-board-request
jonasfj
: review+
tomprince
: review+
Details
(deleted), text/x-review-board-request
mozilla
: review+
Details
(deleted), text/x-review-board-request
dustin
: review+
Details
Currently to perform any in-tree defined action from treeherder the user must possess the scopes necessary to execute a decision task on that branch, which is often tied to one of the ldap scm level groups. Once parameterized hooks are implemented, it should be possible to wrap actions by a hook and call it with a few well defined parameters that can be validated and sanitized allowing users to trigger the action but not directly modify the tasks that would run nor need more privileged scopes.
Depends on: 1324807
This allows us to assign arbitrary scopes to an action. The hooks-related pieces of this are in place, so I need to figure out the rest and parcel out the work.
Summary: Consider using hooks for some actions on level 3 repos → Use hooks for actions
Assignee: nobody → dustin
Blocks: 1437979
The question I'm working on is, how many hooks should we create? The maximum would be one hook per action, per project. Or one hook per action, per level. In either of these cases, creating a new action requires creating a new hook, which erodes the self-serve nature of actions. We like self-serve. At the other end, we could just make one hook per level. But that gets us no benefit in terms of limiting access (everyone would have scopes to run those hooks, thus to run any action) and doesn't allow any schema-based limitations of action context. I think the middle ground is this: - define a generic hook for each level with limited scopes and minimal schema restrictions on its context, but which anyone with commit access to that level can trigger. This is basically the same as our current actions, but with more limited scopes. - for specific actions that require additional privileges, create specific hooks. These will have names generated in-tree (e.g., containing project name, level, action name, etc.) and some combination of - more-restrictive trigger schemas - more scopes granted to the hook - fewer people having the hooks:trigger-hook:<hook-name> scope For example, to enable loaners at high priority, we might define a per-level hook with elevated scopes and a restricted trigger schema, but that is still available to everyone at the appropriate level. Release promotion would have lots of extra scopes, but a very restrictive trigger schema and only be available to a small group of people. --- OK, so that's pretty flexible, but now how do I manage the complexity? In the near term, I think I'll do this with some taskcluster-admin scripts and some hacky command in-tree to export the list of expected hooks. In the longer term, I think this is a great use-case for bug 1381870.
Brian, I'm curious if you see something I've missed here, or if I'm over-complicating this..
Flags: needinfo?(bstack)
I'm sorta wondering if we need the generic hook for each level at all? Couldn't those be normal actions? Otherwise this seems reasonable.
Flags: needinfo?(bstack)
I think even the "generic" level of scopes (queue:create-task:blahblah, etc.) is something we want to remove from users' day-to-day credentials. But the consequent lack of schema validation does concern me.
Per some discussion today, I'm going to find some way to list frequently used action tasks and the scopes they require. Then I'll use that to propose what scopes should be included in "generic" actions, and what should require action-specific hooks.
Attached file action-taskids (deleted) —
The 3482 successful action tasks I can find in the index..
And, here are the scopes used, per level: *** level 1: assume:repo:hg.mozilla.org/try:* assume:repo:hg.mozilla.org/try:branch:default queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:route:index.gecko.v2.try.pushlog-id.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 *** level 2: *** level 3: assume:repo:hg.mozilla.org/integration/autoland:* assume:repo:hg.mozilla.org/integration/autoland:branch:default assume:repo:hg.mozilla.org/integration/mozilla-inbound:* assume:repo:hg.mozilla.org/integration/mozilla-inbound:branch:default assume:repo:hg.mozilla.org/mozilla-central:* assume:repo:hg.mozilla.org/mozilla-central:branch:default assume:repo:hg.mozilla.org/releases/mozilla-beta:* assume:repo:hg.mozilla.org/releases/mozilla-beta:branch:default assume:repo:hg.mozilla.org/releases/mozilla-release:* assume:repo:hg.mozilla.org/releases/mozilla-release:branch:default queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:route:index.gecko.v2.autoland.pushlog-id.* queue:route:index.gecko.v2.mozilla-beta.pushlog-id.* queue:route:index.gecko.v2.mozilla-central.pushlog-id.* queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.* queue:route:index.gecko.v2.mozilla-release.pushlog-id.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-central.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder-stage.v2.mozilla-release.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-central.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.mozilla-release.* queue:scheduler-id:gecko-level-3 Of course, that doesn't really help -- those assume:repo:.. roles are precisely the roles that are too broad. So I'll need to break that down by looking at the tasks those action tasks created.
OK, a better analysis. This includes scopes for all tasks created by the action, as well as the action's own scopes. *** action run_missing_tests at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets docker-worker:cache:level-3-autoland-* docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-mozilla-inbound-* docker-worker:cache:level-3-tooltool-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:signing:cert:dep-signing project:releng:signing:format:sha2signcode project:releng:signing:format:widevine queue:create-task:low:aws-provisioner-v1/gecko-3-b-* queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-linux-talos queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:low:releng-hardware/gecko-t-win10-64-hw queue:create-task:low:scriptworker-prov-v1/depsigning queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:get-artifact:project/gecko/android-ndk/* queue:get-artifact:project/gecko/android-sdk/* queue:route:coalesce.v1.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/taskcluster/gecko/hgfingerprint *** action backfill_action at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets assume:project:taskcluster:level-3-sccache-buckets docker-worker:cache:level-3-autoland-* docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-mozilla-central-* docker-worker:cache:level-3-mozilla-inbound-* docker-worker:cache:level-3-tooltool-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:signing:cert:nightly-signing project:releng:signing:format:sha2signcode project:releng:signing:format:widevine queue:create-task:high:releng-hardware/gecko-t-osx-1010 queue:create-task:low:aws-provisioner-v1/gecko-3-b-* queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-linux-talos queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:create-task:medium:aws-provisioner-v1/gecko-3-b-* queue:create-task:medium:aws-provisioner-v1/gecko-t-* queue:create-task:medium:buildbot-bridge/buildbot-bridge queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1 queue:get-artifact:project/gecko/android-sdk/* queue:route:coalesce.v1.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-central.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-central.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/taskcluster/gecko/hgfingerprint *** action add_new_jobs_action at level 1: assume:project:taskcluster:gecko:level-1-sccache-buckets assume:project:taskcluster:level-1-sccache-buckets docker-worker:cache:level-1-checkouts-* docker-worker:cache:level-1-imagebuilder-* docker-worker:cache:level-1-tooltool-* docker-worker:cache:level-1-try-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:beetmover:action:push-to-staging project:releng:beetmover:bucket:dep project:releng:signing:cert:dep-signing project:releng:signing:format:gpg project:releng:signing:format:jar project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-large queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-xlarge queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64 queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012 queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xlarge queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xxlarge queue:create-task:very-low:aws-provisioner-v1/gecko-1-images queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:buildbot-bridge/buildbot-bridge queue:create-task:very-low:releng-hardware/gecko-t-linux-talos queue:create-task:very-low:releng-hardware/gecko-t-osx-1010 queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:very-low:scriptworker-prov-v1/depsigning queue:get-artifact:project/gecko/android-ndk/* queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.cache.level-1.docker-images.* queue:route:index.gecko.cache.level-1.toolchains.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** action retrigger_action_in_new_group at level 1: docker-worker:cache:level-1-checkouts-* queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/taskcluster/gecko/hgfingerprint *** action add_new_jobs_action at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets assume:project:taskcluster:level-3-sccache-buckets docker-worker:cache:level-3-autoland-* docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-imagebuilder-* docker-worker:cache:level-3-mozilla-central-* docker-worker:cache:level-3-mozilla-inbound-* docker-worker:cache:level-3-tooltool-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public queue:create-task:low:aws-provisioner-v1/gecko-3-b-* queue:create-task:low:aws-provisioner-v1/gecko-3-images queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-linux-talos queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:low:releng-hardware/gecko-t-win10-64-hw queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:create-task:medium:aws-provisioner-v1/gecko-3-b-* queue:create-task:medium:aws-provisioner-v1/gecko-3-images queue:create-task:medium:aws-provisioner-v1/gecko-t-* queue:get-artifact:project/gecko/android-sdk/* queue:route:coalesce.v1.* queue:route:index.gecko.cache.level-3.docker-images.* queue:route:index.gecko.cache.level-3.toolchains.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-central.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-central.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** action cancel_all_action at level 1: queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 *** action release_promotion_action at level 1: assume:project:taskcluster:gecko:level-1-sccache-buckets docker-worker:cache:level-1-checkouts-* docker-worker:cache:level-1-tooltool-* docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public index:insert-task:gecko.v2.try.* project:releng:balrog:channel:aurora project:releng:balrog:channel:beta project:releng:balrog:channel:beta-cdntest project:releng:balrog:channel:beta-localtest project:releng:balrog:channel:esr project:releng:balrog:channel:esr-cdntest project:releng:balrog:channel:esr-localtest project:releng:balrog:channel:nightly project:releng:balrog:channel:nightly-old-id project:releng:balrog:channel:release project:releng:balrog:channel:release-cdntest project:releng:balrog:channel:release-localtest project:releng:balrog:server:dep project:releng:beetmover:action:push-to-candidates project:releng:beetmover:bucket:dep project:releng:buildbot-bridge:builder-name:release-try* project:releng:signing:cert:dep-signing project:releng:signing:format:gpg project:releng:signing:format:jar queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:lowest:aws-provisioner-v1/gecko-misc queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:buildbot-bridge/buildbot-bridge queue:create-task:very-low:scriptworker-prov-v1/balrog-dev queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev queue:create-task:very-low:scriptworker-prov-v1/depsigning queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.v2.* queue:route:index.releases.v1.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** action purge_caches_action at level 1: queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 *** action release_promotion_action at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets assume:project:taskcluster:level-3-sccache-buckets auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/ docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-mozilla-beta-* docker-worker:cache:level-3-mozilla-release-* docker-worker:cache:level-3-tooltool-* docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public index:insert-task:gecko.v2.mozilla-beta.* index:insert-task:gecko.v2.mozilla-release.* project:releng:balrog:action:schedule project:releng:balrog:action:submit-locale project:releng:balrog:action:submit-toplevel project:releng:balrog:channel:beta project:releng:balrog:channel:beta-cdntest project:releng:balrog:channel:beta-localtest project:releng:balrog:channel:release project:releng:balrog:channel:release-cdntest project:releng:balrog:channel:release-localtest project:releng:balrog:server:beta project:releng:balrog:server:release project:releng:beetmover:action:push-to-candidates project:releng:beetmover:action:push-to-releases project:releng:beetmover:bucket:release project:releng:bouncer:action:aliases project:releng:bouncer:action:submission project:releng:bouncer:server:production project:releng:buildbot-bridge:builder-name:release-mozilla-beta* project:releng:buildbot-bridge:builder-name:release-mozilla-release* project:releng:googleplay:beta project:releng:googleplay:release project:releng:ship-it:production project:releng:signing:cert:dep-signing project:releng:signing:cert:nightly-signing project:releng:signing:cert:release-signing project:releng:signing:format:gpg project:releng:signing:format:jar project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine project:releng:treescript:action:push project:releng:treescript:action:tagging project:releng:treescript:action:version_bump queue:create-task:high:aws-provisioner-v1/gecko-3-b-* queue:create-task:high:aws-provisioner-v1/gecko-t-* queue:create-task:high:buildbot-bridge/buildbot-bridge queue:create-task:high:null-provisioner/human-breakpoint queue:create-task:high:scriptworker-prov-v1/balrogworker-v1 queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:high:scriptworker-prov-v1/bouncer-v1 queue:create-task:high:scriptworker-prov-v1/depsigning queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar queue:create-task:high:scriptworker-prov-v1/pushapk-v1 queue:create-task:high:scriptworker-prov-v1/shipit-v1 queue:create-task:high:scriptworker-prov-v1/signing-linux-v1 queue:create-task:high:scriptworker-prov-v1/treescript-v1 queue:create-task:highest:aws-provisioner-v1/gecko-3-b-* queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload queue:create-task:highest:aws-provisioner-v1/gecko-t-* queue:create-task:highest:buildbot-bridge/buildbot-bridge queue:create-task:highest:null-provisioner/human-breakpoint queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1 queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:highest:scriptworker-prov-v1/pushapk-v1 queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1 queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:create-task:lowest:aws-provisioner-v1/gecko-misc queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.v2.* queue:route:index.releases.v1.* queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed queue:route:tc-treeherder-stage.v2.mozilla-release.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-release.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/releng/gecko/build/level-3/datadog-api-key secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload secrets:get:project/releng/snapcraft/firefox/candidate secrets:get:project/releng/snapcraft/firefox/edge secrets:get:project/taskcluster/gecko/hgfingerprint *** action retrigger_action at level 1: assume:project:taskcluster:gecko:level-1-sccache-buckets docker-worker:cache:level-1-checkouts-* docker-worker:cache:level-1-imagebuilder-* docker-worker:cache:level-1-tooltool-* docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64 queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012 queue:create-task:very-low:aws-provisioner-v1/gecko-1-images queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:releng-hardware/gecko-t-osx-1010 queue:route:index.gecko.cache.level-1.docker-images.* queue:route:index.gecko.cache.level-1.toolchains.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/taskcluster/gecko/hgfingerprint *** action mochitest_retrigger_action at level 1: queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 *** action add_all_talos at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-mozilla-inbound-* docker-worker:cache:level-3-tooltool-* docker-worker:feature:allowPtrace docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public queue:create-task:low:aws-provisioner-v1/gecko-3-b-* queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:route:coalesce.v1.* queue:route:index.gecko.v2.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/taskcluster/gecko/hgfingerprint *** action run_missing_tests at level 1: queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 *** action retrigger_action at level 3: assume:project:taskcluster:gecko:level-3-sccache-buckets docker-worker:cache:level-3-autoland-* docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-imagebuilder-* docker-worker:cache:level-3-mozilla-central-* docker-worker:cache:level-3-mozilla-inbound-* docker-worker:cache:level-3-tooltool-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:beetmover:action:push-to-staging project:releng:beetmover:bucket:dep project:releng:signing:cert:dep-signing project:releng:signing:cert:nightly-signing project:releng:signing:format:gpg project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine queue:create-task:high:aws-provisioner-v1/gecko-3-b-* queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload queue:create-task:low:aws-provisioner-v1/gecko-3-b-* queue:create-task:low:aws-provisioner-v1/gecko-3-images queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:low:scriptworker-prov-v1/depsigning queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:create-task:medium:aws-provisioner-v1/gecko-3-b-* queue:create-task:medium:aws-provisioner-v1/gecko-t-* queue:create-task:medium:buildbot-bridge/buildbot-bridge queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:medium:scriptworker-prov-v1/depsigning queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1 queue:get-artifact:project/gecko/android-ndk/* queue:get-artifact:project/gecko/android-sdk/* queue:route:coalesce.v1.* queue:route:index.gecko.cache.level-3.docker-images.* queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-central.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder-stage.v2.mozilla-release.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-central.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.mozilla-release.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** action add_all_talos at level 1: assume:project:taskcluster:level-1-sccache-buckets docker-worker:cache:level-1-checkouts-* docker-worker:cache:level-1-tooltool-* docker-worker:cache:level-1-try-* docker-worker:feature:allowPtrace docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64 queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012 queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:buildbot-bridge/buildbot-bridge queue:create-task:very-low:releng-hardware/gecko-t-osx-1010 queue:route:index.gecko.v2.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/taskcluster/gecko/hgfingerprint
OK, I've taken a stab at dividing the actions: cancel_all_action, purge_cache_action, and release_promotion_action have their own hooks, while everything else is considered generic. Below is what the required scopes look like, per level. *** generic-1 *** triggerSchema allows anything *** active_scm_level_1 has hooks:trigger-hook:project-releng/gecko-action-generic-1 *** hook-id:project-releng/gecko-action-generic-1 has assume:project:taskcluster:gecko:level-1-sccache-buckets assume:project:taskcluster:level-1-sccache-buckets docker-worker:cache:level-1-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:feature:chainOfTrust docker-worker:feature:dind docker-worker:feature:relengAPIProxy docker-worker:feature:taskclusterProxy docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:beetmover:action:push-to-staging project:releng:beetmover:bucket:dep project:releng:signing:cert:dep-signing project:releng:signing:format:gpg project:releng:signing:format:jar project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine purge-cache:aws-provisioner-v1/* queue:cancel-task:gecko-level-1/* queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:very-low:aws-provisioner-v1/gecko-1-* queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:buildbot-bridge/buildbot-bridge queue:create-task:very-low:releng-hardware/gecko-t-linux-talos queue:create-task:very-low:releng-hardware/gecko-t-osx-1010 queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:very-low:scriptworker-prov-v1/depsigning queue:get-artifact:project/gecko/android-ndk/* queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.cache.level-1.* queue:route:index.gecko.v2.try.latest.* queue:route:index.gecko.v2.try.nightly.* queue:route:index.gecko.v2.try.pushdate.* queue:route:index.gecko.v2.try.pushlog-id.* queue:route:index.gecko.v2.try.revision.* queue:route:index.gecko.v2.try.signed-nightly.* queue:route:tc-treeherder-stage.v2.try.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** generic-3 *** triggerSchema allows anything *** active_scm_level_3 has hooks:trigger-hook:project-releng/gecko-action-generic-3 *** hook-id:project-releng/gecko-action-generic-3 has assume:project:taskcluster:gecko:level-3-sccache-buckets assume:project:taskcluster:level-3-sccache-buckets docker-worker:cache:level-3-* docker-worker:capability:device:loopbackVideo docker-worker:feature:allowPtrace docker-worker:feature:chainOfTrust docker-worker:feature:dind docker-worker:feature:relengAPIProxy docker-worker:feature:taskclusterProxy docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public project:releng:beetmover:action:push-to-staging project:releng:beetmover:bucket:dep project:releng:signing:cert:dep-signing project:releng:signing:cert:nightly-signing project:releng:signing:format:gpg project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine purge-cache:aws-provisioner-v1/* queue:cancel-task:gecko-level-3/* queue:create-task:high:aws-provisioner-v1/gecko-3-b-* queue:create-task:high:releng-hardware/gecko-t-osx-1010 queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload queue:create-task:low:aws-provisioner-v1/gecko-3-* queue:create-task:low:aws-provisioner-v1/gecko-t-* queue:create-task:low:buildbot-bridge/buildbot-bridge queue:create-task:low:releng-hardware/gecko-t-linux-talos queue:create-task:low:releng-hardware/gecko-t-osx-1010 queue:create-task:low:releng-hardware/gecko-t-win10-64-hw queue:create-task:low:scriptworker-prov-v1/depsigning queue:create-task:medium:aws-provisioner-v1/gecko-3-* queue:create-task:medium:aws-provisioner-v1/gecko-t-* queue:create-task:medium:buildbot-bridge/buildbot-bridge queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:medium:scriptworker-prov-v1/depsigning queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1 queue:get-artifact:project/gecko/android-ndk/* queue:get-artifact:project/gecko/android-sdk/* queue:route:coalesce.v1.* queue:route:index.gecko.cache.level-3.* queue:route:index.gecko.v2.autoland.latest.* queue:route:index.gecko.v2.autoland.nightly.* queue:route:index.gecko.v2.autoland.pushdate.* queue:route:index.gecko.v2.autoland.pushlog-id.* queue:route:index.gecko.v2.autoland.revision.* queue:route:index.gecko.v2.mozilla-beta.pushlog-id.* queue:route:index.gecko.v2.mozilla-central.latest.* queue:route:index.gecko.v2.mozilla-central.nightly.* queue:route:index.gecko.v2.mozilla-central.pushdate.* queue:route:index.gecko.v2.mozilla-central.pushlog-id.* queue:route:index.gecko.v2.mozilla-central.revision.* queue:route:index.gecko.v2.mozilla-central.signed-nightly.* queue:route:index.gecko.v2.mozilla-inbound.latest.* queue:route:index.gecko.v2.mozilla-inbound.nightly.* queue:route:index.gecko.v2.mozilla-inbound.pushdate.* queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.* queue:route:index.gecko.v2.mozilla-inbound.revision.* queue:route:index.gecko.v2.mozilla-release.pushlog-id.* queue:route:index.gecko.v2.trunk.* queue:route:tc-treeherder-stage.v2.autoland.* queue:route:tc-treeherder-stage.v2.mozilla-central.* queue:route:tc-treeherder-stage.v2.mozilla-inbound.* queue:route:tc-treeherder-stage.v2.mozilla-release.* queue:route:tc-treeherder.v2.autoland.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-central.* queue:route:tc-treeherder.v2.mozilla-inbound.* queue:route:tc-treeherder.v2.mozilla-release.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** release_promotion_action-1 *** triggerSchema allows only limited inputs *** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-1 (?? not sure what this means at level 1) *** hook-id:project-releng/gecko-action-release-promotion-1 has assume:project:taskcluster:gecko:level-1-sccache-buckets docker-worker:cache:level-1-* docker-worker:feature:chainOfTrust docker-worker:feature:relengAPIProxy docker-worker:feature:taskclusterProxy docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public index:insert-task:gecko.v2.try.* project:releng:balrog:channel:aurora project:releng:balrog:channel:beta project:releng:balrog:channel:beta-cdntest project:releng:balrog:channel:beta-localtest project:releng:balrog:channel:esr project:releng:balrog:channel:esr-cdntest project:releng:balrog:channel:esr-localtest project:releng:balrog:channel:nightly project:releng:balrog:channel:nightly-old-id project:releng:balrog:channel:release project:releng:balrog:channel:release-cdntest project:releng:balrog:channel:release-localtest project:releng:balrog:server:dep project:releng:beetmover:action:push-to-candidates project:releng:beetmover:bucket:dep project:releng:buildbot-bridge:builder-name:release-try* project:releng:signing:cert:dep-signing project:releng:signing:format:gpg project:releng:signing:format:jar queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision queue:create-task:lowest:aws-provisioner-v1/gecko-misc queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-* queue:create-task:very-low:aws-provisioner-v1/gecko-t-* queue:create-task:very-low:buildbot-bridge/buildbot-bridge queue:create-task:very-low:scriptworker-prov-v1/balrog-dev queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev queue:create-task:very-low:scriptworker-prov-v1/depsigning queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.v2.try.latest.* queue:route:index.gecko.v2.try.nightly.* queue:route:index.gecko.v2.try.pushdate.* queue:route:index.gecko.v2.try.pushlog-id.* queue:route:index.gecko.v2.try.revision.* queue:route:index.gecko.v2.try.signed-nightly.* queue:route:index.releases.v1.* queue:route:tc-treeherder.v2.try.* queue:scheduler-id:gecko-level-1 secrets:get:project/releng/gecko/build/level-1/* secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload secrets:get:project/taskcluster/gecko/hgfingerprint *** release_promotion_action-3 *** triggerSchema allows only limited inputs *** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-3 *** hook-id:project-releng/gecko-action-release-promotion-3 has assume:project:taskcluster:gecko:level-3-sccache-buckets assume:project:taskcluster:level-3-sccache-buckets auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/ docker-worker:cache:level-3-checkouts-* docker-worker:cache:level-3-mozilla-beta-* docker-worker:cache:level-3-mozilla-release-* docker-worker:cache:level-3-tooltool-* docker-worker:feature:chainOfTrust docker-worker:feature:relengAPIProxy docker-worker:feature:taskclusterProxy docker-worker:image:taskclusterprivate/upload_symbols:0.0.4 docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public index:insert-task:gecko.v2.mozilla-beta.* index:insert-task:gecko.v2.mozilla-release.* project:releng:balrog:action:schedule project:releng:balrog:action:submit-locale project:releng:balrog:action:submit-toplevel project:releng:balrog:channel:beta project:releng:balrog:channel:beta-cdntest project:releng:balrog:channel:beta-localtest project:releng:balrog:channel:release project:releng:balrog:channel:release-cdntest project:releng:balrog:channel:release-localtest project:releng:balrog:server:beta project:releng:balrog:server:release project:releng:beetmover:action:push-to-candidates project:releng:beetmover:action:push-to-releases project:releng:beetmover:bucket:release project:releng:bouncer:action:aliases project:releng:bouncer:action:submission project:releng:bouncer:server:production project:releng:buildbot-bridge:builder-name:release-mozilla-beta* project:releng:buildbot-bridge:builder-name:release-mozilla-release* project:releng:googleplay:beta project:releng:googleplay:release project:releng:ship-it:production project:releng:signing:cert:dep-signing project:releng:signing:cert:nightly-signing project:releng:signing:cert:release-signing project:releng:signing:format:gpg project:releng:signing:format:jar project:releng:signing:format:macapp project:releng:signing:format:mar_sha384 project:releng:signing:format:sha2signcode project:releng:signing:format:sha2signcodestub project:releng:signing:format:widevine project:releng:treescript:action:push project:releng:treescript:action:tagging project:releng:treescript:action:version_bump queue:create-task:high:aws-provisioner-v1/gecko-3-b-* queue:create-task:high:aws-provisioner-v1/gecko-t-* queue:create-task:high:buildbot-bridge/buildbot-bridge queue:create-task:high:null-provisioner/human-breakpoint queue:create-task:high:scriptworker-prov-v1/balrogworker-v1 queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:high:scriptworker-prov-v1/bouncer-v1 queue:create-task:high:scriptworker-prov-v1/depsigning queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar queue:create-task:high:scriptworker-prov-v1/pushapk-v1 queue:create-task:high:scriptworker-prov-v1/shipit-v1 queue:create-task:high:scriptworker-prov-v1/signing-linux-v1 queue:create-task:high:scriptworker-prov-v1/treescript-v1 queue:create-task:highest:aws-provisioner-v1/gecko-3-b-* queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload queue:create-task:highest:aws-provisioner-v1/gecko-t-* queue:create-task:highest:buildbot-bridge/buildbot-bridge queue:create-task:highest:null-provisioner/human-breakpoint queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1 queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1 queue:create-task:highest:scriptworker-prov-v1/pushapk-v1 queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1 queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision queue:create-task:lowest:aws-provisioner-v1/gecko-misc queue:get-artifact:project/gecko/android-sdk/* queue:route:index.gecko.v2.mozilla-beta.latest.* queue:route:index.gecko.v2.mozilla-beta.nightly.* queue:route:index.gecko.v2.mozilla-beta.pushdate.* queue:route:index.gecko.v2.mozilla-beta.pushlog-id.* queue:route:index.gecko.v2.mozilla-beta.revision.* queue:route:index.gecko.v2.mozilla-beta.signed-nightly.* queue:route:index.gecko.v2.mozilla-release.latest.* queue:route:index.gecko.v2.mozilla-release.nightly.* queue:route:index.gecko.v2.mozilla-release.pushdate.* queue:route:index.gecko.v2.mozilla-release.pushlog-id.* queue:route:index.gecko.v2.mozilla-release.revision.* queue:route:index.gecko.v2.mozilla-release.signed-nightly.* queue:route:index.releases.v1.* queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed queue:route:tc-treeherder-stage.v2.mozilla-release.* queue:route:tc-treeherder.v2.mozilla-beta.* queue:route:tc-treeherder.v2.mozilla-release.* queue:scheduler-id:gecko-level-3 secrets:get:project/releng/gecko/build/level-3/* secrets:get:project/releng/gecko/build/level-3/datadog-api-key secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload secrets:get:project/releng/snapcraft/firefox/candidate secrets:get:project/releng/snapcraft/firefox/edge secrets:get:project/taskcluster/gecko/hgfingerprint I'm sure a lot of this can be simplified with role inheritance, but this is the general idea. Aki, do the signing scopes afforded the generic actions seem OK?
Flags: needinfo?(aki)
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #10) > Aki, do the signing scopes afforded the generic actions > seem OK? Yes. the :format: isn't sensitive at the moment, only :cert:, and we appear to be limiting nightly to generic level 3 and release to release promotion level 3. Sounds right. I looked at the other scriptworker scopes; those appear correct as well. Will these scopes be editable via roles like they are today? They're closer to being stable than they were a couple quarters ago, but they still may be in flux.
Flags: needinfo?(aki)
Yes, I'll reflect all of this into roles. I haven't quite figured out how just yet, but that's the next step :)
Ah, I think I see the conceptual distinction here: the generic action corresponds to anything that a push might do -- retriggers, add tasks, etc. Where an action requires scopes that are not available for a "regular" push, it will need its own hook. That maps nicely to relpromo, cancellation, purging caches, and nightlies.
With that in mind, the proposed arrangement of roles is this: mozilla-group:active_scm_level_N is changed from assume:repo:.. for each repo at level N to: hooks:trigger-hook:project-releng/gecko-action-N-generic hooks:trigger-hook:project-releng/gecko-action-N-purge-cache hooks:trigger-hook:project-releng/gecko-action-N-cancel-all (and any other actions afforded to everyone at that level). mozilla-group:releng (and relman?) gets hooks:trigger-hook:project-releng/gecko-action-{1,2,3}-relpromo That *dramatically* reduces the set of scopes that users have. It does mean that we need to implement loaners as an action. --- We currently use roles repo:hg.mozilla.org/<repo>:push -- for pushes repo:hg.mozilla.org/<repo>:cron:<crontask> -- for cronjobs and in fact we define scopes that should be available to all jobs on that repo in role repo:hg.mozilla.org/<repo>:*. That currently has some "scary" scopes in it, and per comment 13 those scopes should not be available to a decision task that results from a push. Some of them are already in ..:cron:nightly. We will add roles repo:hg.mozilla.org/<repo>:action:<actionPerm> which have the "scary" scopes required to accomplish any particular action. This role will automatically inherit the non-scary ...:* scopes, allowing create-task and so on. I'll define `actionPerm` as the permission needed for an action: either the action name, or "generic" for actions that can use generic permissions. These roles will use some utility roles under project:releng, such as project:releng:action:level-3:relpromo:<proj>. Note that there's probably no reason to define role ...:action:generic explicitly, as it should have no more scopes than ...:*. --- Hooks run with a `hook-id` role, so we'll define some roles as follows: hook-id:project-releng/gecko-action-1-generic: assume:hg.mozilla.org:<repo>:action:generic for all level-1 <repo> hook-id:project-releng/gecko-action-1-purge-cache: assume:hg.mozilla.org:<repo>:action:purge-cache for all level-1 <repo> hook-id:project-releng/gecko-action-2-generic: assume:hg.mozilla.org:<repo>:action:generic for all level-2 <repo> hook-id:project-releng/gecko-action-3-generic: assume:hg.mozilla.org:<repo>:action:generic for all level-3 <repo> hook-id:project-releng/gecko-action-3-relpromo: assume:hg.mozilla.org:<repo>:action:relpromo for all level-3 <repo> etc.
I think it probably makes sense for the hooks and scopes to be under something like `project-gecko`, so that thunderbird can use `project-comm` for the equivalent scopes there.
A few open questions (other than "will this work?") @tomprince: Will this work acceptibly with suitable s/gecko/comm/? IIRC that substitution doesn't work everywhere, and IIRC you would like to change gecko -> firefox, too. Perhaps we should do some cleanup along those lines first? @bstack: I see there is a loaner action already, but Treeherder still implements that with a link to https://tools.taskcluster.net/one-click-loaner/#taskId. Was there a blocker to changing that to use an action?
I don't remember why exactly. It might've just been that we didn't bother to port it. Also might have something to do with windows/linux/osx but that doesn't make much sense to me right now.
I created project "gecko" and i'll use that in place of "releng". By the way, I should have written ":branch:default" instead of ":push" above.
Commits pushed to master at https://github.com/taskcluster/taskcluster-docs https://github.com/taskcluster/taskcluster-docs/commit/b421e6504d0883897ef0dd70c4a90c262230dc12 Bug 1415868 - refactor actions doc to allow multiple kinds This moves some of the more verbose schema descriptions out into the manual, leaving the schema quite a bit shorter. It will get longer when a new kind is added! https://github.com/taskcluster/taskcluster-docs/commit/6c9e7b431a22b1220e632528c1e45931d0fa5ccf Bug 1415868 - document kind=hook https://github.com/taskcluster/taskcluster-docs/commit/5e6625c6fe04df027d9a7152d14cc0586314dcf9 Bug 1415868 - add a section on choosing a kind, security concerns https://github.com/taskcluster/taskcluster-docs/commit/53c748bf64535afcb138ffe9468a9ca1538242e6 Bug 1415868 - refactor docs based on review comments https://github.com/taskcluster/taskcluster-docs/commit/b4b6d0e9ca39c7f47b7e32ab18ba6c879432544e Merge pull request #250 from djmitche/bug1415868 Bug 1415868 - docs for actions with kind=hook
I just created hook `project-gecko/in-tree-action-1-generic` to try things out (using tc-admin)
Depends on: 1455697
And that successfully retriggered a task! https://tools.taskcluster.net/groups/LU9AvBDuR9uDHKACyXOoIQ/tasks/LU9AvBDuR9uDHKACyXOoIQ/runs/0/logs/public%2Flogs%2Flive.log So the issue here is that the total number of inputs to turn a generic "run an action" hook and an actual task definition is pretty huge: https://gist.github.com/djmitche/b338559f8e1eae35e3e36a30f00759ed/ea2eb8167223d4e86bd51f27b61bd4e271054051#file-test-payload-yml that divides into two parts: 1. information that the decision task "bakes in" to actions.json: action push repository callback parameters 2. information from the UI input task taskId taskGroupId ownTaskId (bug 1455697) Currently I'm providing that all as the trigger payload, but part 1 still needs to come from the decision task. The only way I see to do that is to provide it in the schema, including the data as default values. It might even be nice if the schema enforced those values, but that likely requires including all of that data *twice* in the schema. Jonas, as schema expert, what are your thoughts? The other issue is that the action task definition is currently based on .taskcluster.yml, so generating it in tc-admin is a bit of an awkward fit. The result is a {$let: .., in: <task from .taskcluster.yml>} structure. We can potentially duplicate that, if it's useful. Ideally the action tasks created by a hook should still be verify-able by CoTv2. This redoubles my conviction that all of this runtime configuration (hooks, roles, etc.) should be done in-tree.. Aki, in CoTv2, to validate an action, are you taking the action from actions.json and supplying its inputs? Or going all the way back to .taskcluster.yml and supplying the full set?
Flags: needinfo?(jopsen)
Flags: needinfo?(aki)
It seems I forgot (despite an admonition to the contrary in the docs, that I wrote!) that there are two JSON-e parameterizations here. So I think this doesn't require schema defaults.
The purge-caches implementation trusts the `task` input, pulling the things to purge from there: https://dxr.mozilla.org/mozilla-central/source/taskcluster/taskgraph/actions/purge_caches.py def purge_caches_action(parameters, input, task_group_id, task_id, task): if task['payload'].get('cache'): for cache in task['payload']['cache']: purge_cache(task['provisionerId'], task['workerType'], cache, use_proxy=True) else: logger.info('Task has no caches. Will not clear anything!') I think this is OK -- purging caches is hardly dangerous -- but for other hooks it might be problematic. The task definition (and parameters) is also quite large, and often unnecessary. Perhaps it would be better to omit it for type=hook actions, and require the action implementations to fetch them if needed? That would probably be best accomplished in a follow-up. What do you think, Jonas?
Would something like how cron hooks work make sense? That is, there is a fairly simple (and standardized) task definition. And then that calls code in-tree to generate an action task based on the in-tree `.taskcluster.yml`?
For the issue in comment 26, no -- we can easily add some utility functions that will fetch a task or the decision task's parameters without requiring execution of a second task. And in general, I want to avoid that, as it will delay an already fairly slow process by requiring another round of task create-claim-start-execute-resolve.
I have a bunch of patches that can land together now, and set things up to use hooks as actions, but do not actually convert the actions. Treeherder still needs to be updated before we can do that. https://github.com/taskcluster/taskcluster-admin/pull/20 -- this has already been applied in production, so hopefully it's OK https://github.com/taskcluster/taskcluster-tools/pull/525 -- this was *way* easier than I expected!
Comment on attachment 8971065 [details] Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes; https://reviewboard.mozilla.org/r/239826/#review245532 ::: .taskcluster.yml:74 (Diff revision 1) > scopes: > $if: 'tasks_for == "hg-push"' > then: > - 'assume:repo:${repoUrl[8:]}:branch:default' > - 'queue:route:notify.email.${ownerEmail}.*' > + - 'in-tree:hook-action:project-gecko/in-tree-action-${repository.level}-*' @tomprince: I suspect we can s/gecko/comm/ in comm's `/.taskcluster.yml`, right?
hassan, any chance I could lean on you to make changes equivalent to https://github.com/taskcluster/taskcluster-tools/pull/525 in treeherder? That's based off of https://docs.taskcluster.net/manual/using/actions/spec and https://docs.taskcluster.net/manual/using/actions/ui.
Flags: needinfo?(jopsen) → needinfo?(helfi92)
Yep, I can take care of it.
Flags: needinfo?(helfi92)
Comment on attachment 8971062 [details] Bug 1415868 - add 'mach taskgraph actions'; https://reviewboard.mozilla.org/r/239820/#review245808 It would be nice if the new command either didn't take, or handled, all the options it can be given (`--json`/`--lables`, `--fast`, `--task-regex`, `--no-optimize`).
Attachment #8971062 - Flags: review?(mozilla) → review+
Comment on attachment 8971063 [details] Bug 1415868 - Remove support for register_action_task; https://reviewboard.mozilla.org/r/239822/#review245810 ::: taskcluster/taskgraph/actions/registry.py:247 (Diff revision 1) > # functions to populate the action registry. > actions_dir = os.path.dirname(__file__) > for f in os.listdir(actions_dir): > if f.endswith('.py') and f not in ('__init__.py', 'registry.py', 'util.py'): > __import__('taskgraph.actions.' + f[:-3]) > - if f.endswith('.yml'): > + # TODO: support loaners through a hook It seems unlikely that the code for supporting a loaner will go here, so it would be better to turn this in to a bug, and not leave a comment here.
Attachment #8971063 - Flags: review?(mozilla) → review+
Comment on attachment 8971064 [details] Bug 1415868 - add support for defining actions with kind=hook; https://reviewboard.mozilla.org/r/239824/#review245844 This looks good, but it migt need to change to match changes requested in https://github.com/taskcluster/taskcluster-admin/pull/20 ::: taskcluster/taskgraph/actions/registry.py:163 (Diff revision 1) > + 'name': name, > + 'title': title, > + 'description': description, > + 'taskGroupId': task_group_id, > + 'repo_scope': repo_scope, > + 'cb_name': cb.__name__, Given the security concerns, does this even want to be included in hook actions? My feeling is not. ::: taskcluster/taskgraph/actions/registry.py:226 (Diff revision 1) > + 'taskGroupId': {'$eval': 'taskGroupId'}, > + } > }, > - 'in': taskcluster_yml['tasks'][0] > } > + rv['name'] = name nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it.
Attachment #8971064 - Flags: review?(mozilla) → review+
Comment on attachment 8971064 [details] Bug 1415868 - add support for defining actions with kind=hook; https://reviewboard.mozilla.org/r/239824/#review245844 > Given the security concerns, does this even want to be included in hook actions? My feeling is not. For generic actions (actionPerm='generic') it does need to be here. For the non-generic, its value has to be "forced" whether it's present in the payload or not. > nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it. I like that..
Blocks: 1271677
Attachment #8971062 - Flags: review?(jopsen) → review+
Comment on attachment 8971063 [details] Bug 1415868 - Remove support for register_action_task; https://reviewboard.mozilla.org/r/239822/#review246634 ::: commit-message-d59da:9 (Diff revision 2) > +so this mode of action definition will not be possible. This is not currently > +used from Treeherder (it links to > +https://tools.taskcluster.net/tasks/<taskid>/interactive instead) > + > +This drops support for the JSON-e-only interactive action; that action is not > +currently used from treeherder, so that should have no impact for users. It is present in treeherder, you just have to digg into the actions menu... that well hidden. I'll agree it probably won't affect users. But the plan was for TH to remove the link to: `tools.taskcluster.net/tasks/<taskid>/interactive` and exclusively use this. This will move that one step backwards. And it won't provide an alternative action. I could be wrong, and I'm not sure we should block on this. Just that at-least we should be aware.
Think of it as avoiding having to re-implement something because the old version wasn't already in production. It will eventually be implemented with a hook-based in-tree action.
Attachment #8971063 - Flags: review?(jopsen)
Attachment #8972298 - Flags: review?(mozilla)
Attachment #8972298 - Flags: review?(jopsen)
OK, new round of reviews is up. Here are my notes from previous reviews and our conversation last week: * [DONE] add detail to hooks' triggerSchema to indiciate specific keys in action, push, and repository * [DONE] don't include repo_scope in the hookPayload (and don't generate it in the in-tree code) * [DONE] Rework these overrides to be a little clearer that we either take the given value, or force it, and why (with some comments). * [DONE] Merge action.foo properties individually, raher than dict merge * [ALREADY THE CASE] Advise to keep data provided to hooks.triggerHook as small as possible - that's the trust boundary, so probably not the task * [DONE] Just drop the `task` field in the spec * [DONE] docs/spec: ownTaskId not included for hooks * [DONE] use taskId from hooks service * [DONE] Pull tc.yml from comm-central for comm-central trustdomain
Comment on attachment 8971065 [details] Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes; https://reviewboard.mozilla.org/r/239826/#review246716
Attachment #8971065 - Flags: review?(mozilla) → review+
Comment on attachment 8972298 [details] Bug 1415868 - remove ACTION_TASK https://reviewboard.mozilla.org/r/240960/#review246724 ::: .taskcluster.yml:112 (Diff revision 1) > - $if: 'tasks_for == "action"' > then: > ACTION_TASK_GROUP_ID: '${ownTaskId}' > ACTION_TASK_ID: {$json: {$eval: 'taskId'}} > + # note that this is always NULL for actions with kind=hook > ACTION_TASK: {$json: {$eval: 'task'}} Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`. We can move that into just the actions that need that later.
> Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`. Just to be clear you're suggesting fetching the task with `queue.task(..)`?
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #65) > > Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`. > > Just to be clear you're suggesting fetching the task with `queue.task(..)`? Presumably `taskgraph.util.taskcluster.get_task_definition`. So, yes?
Commits pushed to master at https://github.com/taskcluster/taskcluster-docs https://github.com/taskcluster/taskcluster-docs/commit/b9b9233b09e27cc5606f628e640c6550ae6f25f7 Bug 1415868 - ownTaskId and task are not provided for kind=hook (with some minor formatting fixes) https://github.com/taskcluster/taskcluster-docs/commit/cd8f6317eb3edb06a33ca3db24fe0b6532981e9b Merge pull request #255 from djmitche/bug1415868-b Bug 1415868 - ownTaskId and task are not provided for kind=hook
Attachment #8971063 - Flags: review+
Comment on attachment 8971064 [details] Bug 1415868 - add support for defining actions with kind=hook; https://reviewboard.mozilla.org/r/239824/#review246780
Attachment #8971064 - Flags: review?(jopsen) → review+
Comment on attachment 8971065 [details] Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes; https://reviewboard.mozilla.org/r/239826/#review246782
Attachment #8971065 - Flags: review?(jopsen) → review+
Comment on attachment 8972298 [details] Bug 1415868 - remove ACTION_TASK https://reviewboard.mozilla.org/r/240960/#review246788 ::: .taskcluster.yml:112 (Diff revision 1) > - $if: 'tasks_for == "action"' > then: > ACTION_TASK_GROUP_ID: '${ownTaskId}' > ACTION_TASK_ID: {$json: {$eval: 'taskId'}} > + # note that this is always NULL for actions with kind=hook > ACTION_TASK: {$json: {$eval: 'task'}} What tomprince said :)
Attachment #8972298 - Flags: review?(jopsen) → review+
I've tested both kind=hook and kind=task actions on the above try push. The hooks in place are based on .taskcluster.yml from that try push. Everything seems to work. Next steps: - r+ on the last patch - land this (but not the DO NOT LAND patch) - sort out how to verify this with CoTv2 (note that just landing the attached patches won't result in any kind=hook actions being run, so this can wait) - uplift graph-config stuff (tomprince) - uplift this as far as possible (hopefully to esr52) - start porting actions to use kind=hook
Attachment #8972298 - Flags: review?(mozilla) → review+
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #72) > https://treeherder.mozilla.org/#/ > jobs?repo=try&revision=d7665b9f894a550d83cfa1bc9ce01fedd11950c6 `verify_cot --task-type action --cleanup -- RUSih0YTT1uhfyKyiuNmXA` passes cotv2.
Aki and I chatted. At the moment, we're not sure how that verify worked, but Aki is looking into it. My understanding of the way we'd like CoT verification to work is that CoT determines the inputs to .taskcluster.yml that would have generated this action, renders with JSON-e, and compares the result. That necessitates having .taskcluster.yml and the hook object's task template match (the template surrounds the .taskcluster.yml content with a {$let: .., in: ..} but otherwise includes it verbatim). To accomplish that, Aki suggested hashing `.taskcluster.yml` and including the hash (or a prefix of it) in the hookId. Then the challenge is just to run the script to create hooks before they're needed. We could accomplish that with a task that runs on push that verifies the hook exists and, if not, suggests running the script. The script will need elevated privs, so we would rather not have it run automatically!
Ah, looks like I missed this line in the logs: 2018-05-03T11:27:54 WARNING - DEPRECATED_DECISION_TASK RUSih0YTT1uhfyKyiuNmXA while verifying task RUSih0YTT1uhfyKyiuNmXA which means it failed back to cotv1. I need to add support for .taskcluster.yml usage for actions as well. Is there going to be some flag I can look for to toggle this behavior? No matter how tightly we couple the landing + rollout of a new scriptworker, I imagine there will be some old behavior somewhere.
Attempts at getting `verify_cot --task-type action --min-cot-version 2 --cleanup RUSih0YTT1uhfyKyiuNmXA` are here [1], not yet successful. Ideally we get both current and new-style actions passing. [1] https://github.com/escapewindow/scriptworker/commits/action-hook-cot
Depends on: cotv3
Comment on attachment 8972298 [details] Bug 1415868 - remove ACTION_TASK https://reviewboard.mozilla.org/r/240960/#review248340 ::: taskcluster/mach_commands.py (Diff revision 2) > root = options['root'] > > return taskgraph.actions.trigger_action_callback( > task_group_id=task_group_id, > task_id=task_id, > - task=task, I think this will break cot verification of action tasks until bug 1459705 is fixed.
Comment on attachment 8972298 [details] Bug 1415868 - remove ACTION_TASK https://reviewboard.mozilla.org/r/240960/#review248340 > I think this will break cot verification of action tasks until bug 1459705 is fixed. It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task. Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json. But CoTv2 is verifying action tasks against actions.json, so that will still match. Have I missed something?
Comment on attachment 8972298 [details] Bug 1415868 - remove ACTION_TASK https://reviewboard.mozilla.org/r/240960/#review248340 > It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task. Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json. But CoTv2 is verifying action tasks against actions.json, so that will still match. Have I missed something? If actions.json is unchanged, then I think we're good. If we remove the task json from actions.json as we did in the try push, then cot will break.
Well, actions.json is changed, but still contains a task definition. It was only the retrigger action, and only on that try push, that had kind=hook. That's in the "DO NOT MERGE" revision :)
Cool, good to hear. I'll try to get the hook cot verification in soon.
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/85766e2787ec6420b49f986a37f6039067262093 Bug 1415868 - Use hooks for actions (#3502) * Add hooks for actions * Remove task from context for kind == hook Also display hookGroupId/hookId for kind=hook in the modal. * Move taskcluster-lib-scopes to the vendor chunk
(In reply to Aki Sasaki [:aki] from comment #84) > Cool, good to hear. I'll try to get the hook cot verification in soon. Status: https://bugzilla.mozilla.org/show_bug.cgi?id=1459705#c2 Could we address the `repo_scope` pre-population and kind=hook taskGroupId bustage? Once we have those fixed, I can remove those hardcoded hacks from cotv3.
I'm going to try to get this landed on Monday, without the DO NOT MERGE part. Today seems risky :)
OK, https://tools.taskcluster.net/tasks/NdzxKw8bS5Sw5DRhoiM14w is the result of a retrigger on the try push with the latest patch applied (and having run tcadmin to update the hook defs) The hook payload (copying from the 'Params' tab in devtools kinda stinks..): decision {…} action {…} cb_name retrigger_action description Create a clone of the task. name retrigger symbol rt taskGroupId c5nn2xbNS9mJxeVC0uNElg title Retrigger parameters {…} app_version 62.0a1 base_repository https://hg.mozilla.org/mozilla-unified build_date 1526682222 build_number 1 do_not_optimize {} existing_tasks {} filters {…} 0 check_servo 1 target_tasks_method head_ref f41b2f50ff48ef4265e7be391a6e5e4b212f96a0 head_repository https://hg.mozilla.org/try head_rev f41b2f50ff48ef4265e7be391a6e5e4b212f96a0 include_nightly true level 1 message moz_build_date 20180518222342 next_version null optimize_target_tasks false owner dmitchell@mozilla.com project try pushdate 1526682222 pushlog_id 272718 release_enable_emefree false release_enable_partners false release_eta release_history {} release_partner_build_number 1 release_partner_config {} release_partners {} release_product null release_type target_tasks_method try_tasks try_mode try_task_config try_options null try_task_config {…} tasks {…} version 62.0a1 push {…} owner mozilla-taskcluster-maintenance@mozilla.com pushlog_id 272718 revision f41b2f50ff48ef4265e7be391a6e5e4b212f96a0 repository {…} level 1 project try url https://hg.mozilla.org/try user {…} input {…} downstream false times 1 taskGroupId c5nn2xbNS9mJxeVC0uNElg taskId H1mVqFQbS3Sqwo5tWMLtYw but more importantly, in the resulting task: "ACTION_TASK_GROUP_ID": "c5nn2xbNS9mJxeVC0uNElg", So that seems to be fixed. I remain cautiously optimistic that this has been breaking the cancel_all action for a long time.
Comment on attachment 8977124 [details] Bug 1415868 - change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task; https://reviewboard.mozilla.org/r/245208/#review251206 Thanks!
Attachment #8977124 - Flags: review?(aki) → review+
Attachment #8971066 - Attachment is obsolete: true
Pushed by dmitchell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7637618d3bd2 add 'mach taskgraph actions'; r=jonasfj,tomprince https://hg.mozilla.org/integration/autoland/rev/2c95df49455b Remove support for register_action_task; r=jonasfj,tomprince https://hg.mozilla.org/integration/autoland/rev/a891a10ca4d9 add support for defining actions with kind=hook; r=jonasfj,tomprince https://hg.mozilla.org/integration/autoland/rev/4cbd35f87289 include in-tree:hook-action:..{level}-* in decision task scopes; r=jonasfj,tomprince https://hg.mozilla.org/integration/autoland/rev/e2931d904975 remove ACTION_TASK r=jonasfj,tomprince https://hg.mozilla.org/integration/autoland/rev/d4643b526038 change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task; r=aki
Assuming that sticks, next steps are: - finish CoT work - add hash to hookIds - convert all actions to hooks - convert anything treeherder is still doing "manually" to a hook - convert anything tools is still doing "manually" to a hook - remove scopes from active_scm_level_L roles
Keywords: leave-open
Sorry for catching this late - you've changed ACTION_TASK_GROUP_ID to c5nn2xbNS9mJxeVC0uNElg, but the taskGroupId of the task hasn't changed to c5nn2xbNS9mJxeVC0uNElg; it's NdzxKw8bS5Sw5DRhoiM14w, which is the action task's taskId. Can we fix that?
Depends on: 1463522
- [DONE (aki)] finish CoT work - [DONE] add hash to hookIds - convert all actions to hooks - convert anything treeherder is still doing "manually" to a hook - convert anything tools is still doing "manually" to a hook - remove scopes from active_scm_level_L roles
Depends on: 1465945
Depends on: 1465970
This makes it consistent with everywhere else in `.taskcluster.yml` where we refer to the action task group.
Attachment #8986246 - Attachment is obsolete: true
Comment on attachment 8986661 [details] Bug 1415868 - fix test-action-callback after rev e2931d904975, https://reviewboard.mozilla.org/r/251968/#review258554
Attachment #8986661 - Flags: review?(dustin) → review+
Pushed by nthomas@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cea130a07d08 fix test-action-callback after rev e2931d904975, r=dustin
Depends on: 1470621
Depends on: 1470622
Depends on: 1470623
Depends on: 1470625
Blocks: 1470625
No longer depends on: 1470625
Depends on: 1398277
This is still waiting on a production deploy of treeherder. Hopefully soon!!!
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #113) > This is still waiting on a production deploy of treeherder. Hopefully > soon!!! Is that deployment tracked in a bug?
I'm not going to lie, I'm pretty confused about this bug. I *think* all of the code is landed, and all that remains is to start turning on `kind="hook"` for actions. Once that sticks, this is basically done and I can start working on reducing user scopes.
Depends on: 1485680
Ah, that is landed in bug 1470621 and happily has spread quite widely already. All that remains is relpromo (bug 1485680) and that's not a hard blocker on progress here.
Depends on: 1488766
Let's leave the relpromo work to its own bug, and close this -- we're substantially using hooks now and all that remains is clean-up.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Component: Hooks → Services
Blocks: 1529948
Blocks: 1618940
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: