Closed
Bug 1415868
Opened 7 years ago
Closed 6 years ago
Use hooks for actions
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: garndt, Assigned: dustin)
References
(Blocks 2 open bugs, )
Details
Attachments
(9 files, 2 obsolete files)
(deleted),
text/plain
|
Details | |
(deleted),
text/x-review-board-request
|
jonasfj
:
review+
tomprince
:
review+
|
Details |
(deleted),
text/x-review-board-request
|
tomprince
:
review+
jonasfj
:
review+
|
Details |
(deleted),
text/x-review-board-request
|
jonasfj
:
review+
tomprince
:
review+
|
Details |
(deleted),
text/x-review-board-request
|
jonasfj
:
review+
tomprince
:
review+
|
Details |
(deleted),
text/x-github-pull-request
|
Details | |
(deleted),
text/x-review-board-request
|
jonasfj
:
review+
tomprince
:
review+
|
Details |
(deleted),
text/x-review-board-request
|
mozilla
:
review+
|
Details |
(deleted),
text/x-review-board-request
|
dustin
:
review+
|
Details |
Currently to perform any in-tree defined action from treeherder the user must possess the scopes necessary to execute a decision task on that branch, which is often tied to one of the ldap scm level groups.
Once parameterized hooks are implemented, it should be possible to wrap actions by a hook and call it with a few well defined parameters that can be validated and sanitized allowing users to trigger the action but not directly modify the tasks that would run nor need more privileged scopes.
Assignee | ||
Comment 1•7 years ago
|
||
This allows us to assign arbitrary scopes to an action. The hooks-related pieces of this are in place, so I need to figure out the rest and parcel out the work.
Summary: Consider using hooks for some actions on level 3 repos → Use hooks for actions
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dustin
Assignee | ||
Comment 2•7 years ago
|
||
The question I'm working on is, how many hooks should we create?
The maximum would be one hook per action, per project. Or one hook per action, per level. In either of these cases, creating a new action requires creating a new hook, which erodes the self-serve nature of actions. We like self-serve.
At the other end, we could just make one hook per level. But that gets us no benefit in terms of limiting access (everyone would have scopes to run those hooks, thus to run any action) and doesn't allow any schema-based limitations of action context.
I think the middle ground is this:
- define a generic hook for each level with limited scopes and minimal schema restrictions on its context, but which anyone with commit access to that level can trigger. This is basically the same as our current actions, but with more limited scopes.
- for specific actions that require additional privileges, create specific hooks. These will have names generated in-tree (e.g., containing project name, level, action name, etc.) and some combination of
- more-restrictive trigger schemas
- more scopes granted to the hook
- fewer people having the hooks:trigger-hook:<hook-name> scope
For example, to enable loaners at high priority, we might define a per-level hook with elevated scopes and a restricted trigger schema, but that is still available to everyone at the appropriate level.
Release promotion would have lots of extra scopes, but a very restrictive trigger schema and only be available to a small group of people.
---
OK, so that's pretty flexible, but now how do I manage the complexity? In the near term, I think I'll do this with some taskcluster-admin scripts and some hacky command in-tree to export the list of expected hooks. In the longer term, I think this is a great use-case for bug 1381870.
Assignee | ||
Comment 3•7 years ago
|
||
Brian, I'm curious if you see something I've missed here, or if I'm over-complicating this..
Flags: needinfo?(bstack)
Comment 4•7 years ago
|
||
I'm sorta wondering if we need the generic hook for each level at all? Couldn't those be normal actions? Otherwise this seems reasonable.
Flags: needinfo?(bstack)
Assignee | ||
Comment 5•7 years ago
|
||
I think even the "generic" level of scopes (queue:create-task:blahblah, etc.) is something we want to remove from users' day-to-day credentials. But the consequent lack of schema validation does concern me.
Assignee | ||
Comment 6•7 years ago
|
||
Per some discussion today, I'm going to find some way to list frequently used action tasks and the scopes they require. Then I'll use that to propose what scopes should be included in "generic" actions, and what should require action-specific hooks.
Assignee | ||
Comment 7•7 years ago
|
||
The 3482 successful action tasks I can find in the index..
Assignee | ||
Comment 8•7 years ago
|
||
And, here are the scopes used, per level:
*** level 1:
assume:repo:hg.mozilla.org/try:*
assume:repo:hg.mozilla.org/try:branch:default
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** level 2:
*** level 3:
assume:repo:hg.mozilla.org/integration/autoland:*
assume:repo:hg.mozilla.org/integration/autoland:branch:default
assume:repo:hg.mozilla.org/integration/mozilla-inbound:*
assume:repo:hg.mozilla.org/integration/mozilla-inbound:branch:default
assume:repo:hg.mozilla.org/mozilla-central:*
assume:repo:hg.mozilla.org/mozilla-central:branch:default
assume:repo:hg.mozilla.org/releases/mozilla-beta:*
assume:repo:hg.mozilla.org/releases/mozilla-beta:branch:default
assume:repo:hg.mozilla.org/releases/mozilla-release:*
assume:repo:hg.mozilla.org/releases/mozilla-release:branch:default
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:route:index.gecko.v2.autoland.pushlog-id.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.pushlog-id.*
queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
Of course, that doesn't really help -- those assume:repo:.. roles are precisely the roles that are too broad. So I'll need to break that down by looking at the tasks those action tasks created.
Assignee | ||
Comment 9•7 years ago
|
||
OK, a better analysis. This includes scopes for all tasks created by the action, as well as the action's own scopes.
*** action run_missing_tests at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:signing:cert:dep-signing
project:releng:signing:format:sha2signcode
project:releng:signing:format:widevine
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action backfill_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:signing:cert:nightly-signing
project:releng:signing:format:sha2signcode
project:releng:signing:format:widevine
queue:create-task:high:releng-hardware/gecko-t-osx-1010
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action add_new_jobs_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-imagebuilder-*
docker-worker:cache:level-1-tooltool-*
docker-worker:cache:level-1-try-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-large
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-xlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xxlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-images
queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-linux-talos
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.cache.level-1.docker-images.*
queue:route:index.gecko.cache.level-1.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action retrigger_action_in_new_group at level 1:
docker-worker:cache:level-1-checkouts-*
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action add_new_jobs_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-imagebuilder-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-3-images
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-3-images
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.docker-images.*
queue:route:index.gecko.cache.level-3.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action cancel_all_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** action release_promotion_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-tooltool-*
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.try.*
project:releng:balrog:channel:aurora
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:esr
project:releng:balrog:channel:esr-cdntest
project:releng:balrog:channel:esr-localtest
project:releng:balrog:channel:nightly
project:releng:balrog:channel:nightly-old-id
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:dep
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:bucket:dep
project:releng:buildbot-bridge:builder-name:release-try*
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:scriptworker-prov-v1/balrog-dev
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.*
queue:route:index.releases.v1.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action purge_caches_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** action release_promotion_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-beta-*
docker-worker:cache:level-3-mozilla-release-*
docker-worker:cache:level-3-tooltool-*
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.mozilla-beta.*
index:insert-task:gecko.v2.mozilla-release.*
project:releng:balrog:action:schedule
project:releng:balrog:action:submit-locale
project:releng:balrog:action:submit-toplevel
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:beta
project:releng:balrog:server:release
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:action:push-to-releases
project:releng:beetmover:bucket:release
project:releng:bouncer:action:aliases
project:releng:bouncer:action:submission
project:releng:bouncer:server:production
project:releng:buildbot-bridge:builder-name:release-mozilla-beta*
project:releng:buildbot-bridge:builder-name:release-mozilla-release*
project:releng:googleplay:beta
project:releng:googleplay:release
project:releng:ship-it:production
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:cert:release-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
project:releng:treescript:action:push
project:releng:treescript:action:tagging
project:releng:treescript:action:version_bump
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:aws-provisioner-v1/gecko-t-*
queue:create-task:high:buildbot-bridge/buildbot-bridge
queue:create-task:high:null-provisioner/human-breakpoint
queue:create-task:high:scriptworker-prov-v1/balrogworker-v1
queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:high:scriptworker-prov-v1/bouncer-v1
queue:create-task:high:scriptworker-prov-v1/depsigning
queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar
queue:create-task:high:scriptworker-prov-v1/pushapk-v1
queue:create-task:high:scriptworker-prov-v1/shipit-v1
queue:create-task:high:scriptworker-prov-v1/signing-linux-v1
queue:create-task:high:scriptworker-prov-v1/treescript-v1
queue:create-task:highest:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:highest:aws-provisioner-v1/gecko-t-*
queue:create-task:highest:buildbot-bridge/buildbot-bridge
queue:create-task:highest:null-provisioner/human-breakpoint
queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1
queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:highest:scriptworker-prov-v1/pushapk-v1
queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.*
queue:route:index.releases.v1.*
queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception
queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/datadog-api-key
secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/releng/snapcraft/firefox/candidate
secrets:get:project/releng/snapcraft/firefox/edge
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action retrigger_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-imagebuilder-*
docker-worker:cache:level-1-tooltool-*
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-1-images
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:route:index.gecko.cache.level-1.docker-images.*
queue:route:index.gecko.cache.level-1.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action mochitest_retrigger_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** action add_all_talos at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action run_missing_tests at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** action retrigger_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-imagebuilder-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:format:gpg
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-3-images
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:medium:scriptworker-prov-v1/depsigning
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.docker-images.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** action add_all_talos at level 1:
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-tooltool-*
docker-worker:cache:level-1-try-*
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/taskcluster/gecko/hgfingerprint
Assignee | ||
Comment 10•7 years ago
|
||
OK, I've taken a stab at dividing the actions: cancel_all_action, purge_cache_action, and release_promotion_action have their own hooks, while everything else is considered generic. Below is what the required scopes look like, per level.
*** generic-1
*** triggerSchema allows anything
*** active_scm_level_1 has hooks:trigger-hook:project-releng/gecko-action-generic-1
*** hook-id:project-releng/gecko-action-generic-1 has
assume:project:taskcluster:gecko:level-1-sccache-buckets
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:feature:chainOfTrust
docker-worker:feature:dind
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
purge-cache:aws-provisioner-v1/*
queue:cancel-task:gecko-level-1/*
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-*
queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-linux-talos
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.cache.level-1.*
queue:route:index.gecko.v2.try.latest.*
queue:route:index.gecko.v2.try.nightly.*
queue:route:index.gecko.v2.try.pushdate.*
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:index.gecko.v2.try.revision.*
queue:route:index.gecko.v2.try.signed-nightly.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** generic-3
*** triggerSchema allows anything
*** active_scm_level_3 has hooks:trigger-hook:project-releng/gecko-action-generic-3
*** hook-id:project-releng/gecko-action-generic-3 has
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:feature:chainOfTrust
docker-worker:feature:dind
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:format:gpg
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
purge-cache:aws-provisioner-v1/*
queue:cancel-task:gecko-level-3/*
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:releng-hardware/gecko-t-osx-1010
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:low:aws-provisioner-v1/gecko-3-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:medium:aws-provisioner-v1/gecko-3-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:medium:scriptworker-prov-v1/depsigning
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.*
queue:route:index.gecko.v2.autoland.latest.*
queue:route:index.gecko.v2.autoland.nightly.*
queue:route:index.gecko.v2.autoland.pushdate.*
queue:route:index.gecko.v2.autoland.pushlog-id.*
queue:route:index.gecko.v2.autoland.revision.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.latest.*
queue:route:index.gecko.v2.mozilla-central.nightly.*
queue:route:index.gecko.v2.mozilla-central.pushdate.*
queue:route:index.gecko.v2.mozilla-central.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.revision.*
queue:route:index.gecko.v2.mozilla-central.signed-nightly.*
queue:route:index.gecko.v2.mozilla-inbound.latest.*
queue:route:index.gecko.v2.mozilla-inbound.nightly.*
queue:route:index.gecko.v2.mozilla-inbound.pushdate.*
queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.*
queue:route:index.gecko.v2.mozilla-inbound.revision.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:index.gecko.v2.trunk.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** release_promotion_action-1
*** triggerSchema allows only limited inputs
*** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-1
(?? not sure what this means at level 1)
*** hook-id:project-releng/gecko-action-release-promotion-1 has
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-*
docker-worker:feature:chainOfTrust
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.try.*
project:releng:balrog:channel:aurora
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:esr
project:releng:balrog:channel:esr-cdntest
project:releng:balrog:channel:esr-localtest
project:releng:balrog:channel:nightly
project:releng:balrog:channel:nightly-old-id
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:dep
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:bucket:dep
project:releng:buildbot-bridge:builder-name:release-try*
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-*
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:scriptworker-prov-v1/balrog-dev
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.try.latest.*
queue:route:index.gecko.v2.try.nightly.*
queue:route:index.gecko.v2.try.pushdate.*
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:index.gecko.v2.try.revision.*
queue:route:index.gecko.v2.try.signed-nightly.*
queue:route:index.releases.v1.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint
*** release_promotion_action-3
*** triggerSchema allows only limited inputs
*** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-3
*** hook-id:project-releng/gecko-action-release-promotion-3 has
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-beta-*
docker-worker:cache:level-3-mozilla-release-*
docker-worker:cache:level-3-tooltool-*
docker-worker:feature:chainOfTrust
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.mozilla-beta.*
index:insert-task:gecko.v2.mozilla-release.*
project:releng:balrog:action:schedule
project:releng:balrog:action:submit-locale
project:releng:balrog:action:submit-toplevel
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:beta
project:releng:balrog:server:release
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:action:push-to-releases
project:releng:beetmover:bucket:release
project:releng:bouncer:action:aliases
project:releng:bouncer:action:submission
project:releng:bouncer:server:production
project:releng:buildbot-bridge:builder-name:release-mozilla-beta*
project:releng:buildbot-bridge:builder-name:release-mozilla-release*
project:releng:googleplay:beta
project:releng:googleplay:release
project:releng:ship-it:production
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:cert:release-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
project:releng:treescript:action:push
project:releng:treescript:action:tagging
project:releng:treescript:action:version_bump
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:aws-provisioner-v1/gecko-t-*
queue:create-task:high:buildbot-bridge/buildbot-bridge
queue:create-task:high:null-provisioner/human-breakpoint
queue:create-task:high:scriptworker-prov-v1/balrogworker-v1
queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:high:scriptworker-prov-v1/bouncer-v1
queue:create-task:high:scriptworker-prov-v1/depsigning
queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar
queue:create-task:high:scriptworker-prov-v1/pushapk-v1
queue:create-task:high:scriptworker-prov-v1/shipit-v1
queue:create-task:high:scriptworker-prov-v1/signing-linux-v1
queue:create-task:high:scriptworker-prov-v1/treescript-v1
queue:create-task:highest:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:highest:aws-provisioner-v1/gecko-t-*
queue:create-task:highest:buildbot-bridge/buildbot-bridge
queue:create-task:highest:null-provisioner/human-breakpoint
queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1
queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:highest:scriptworker-prov-v1/pushapk-v1
queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.mozilla-beta.latest.*
queue:route:index.gecko.v2.mozilla-beta.nightly.*
queue:route:index.gecko.v2.mozilla-beta.pushdate.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-beta.revision.*
queue:route:index.gecko.v2.mozilla-beta.signed-nightly.*
queue:route:index.gecko.v2.mozilla-release.latest.*
queue:route:index.gecko.v2.mozilla-release.nightly.*
queue:route:index.gecko.v2.mozilla-release.pushdate.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:index.gecko.v2.mozilla-release.revision.*
queue:route:index.gecko.v2.mozilla-release.signed-nightly.*
queue:route:index.releases.v1.*
queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception
queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/datadog-api-key
secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/releng/snapcraft/firefox/candidate
secrets:get:project/releng/snapcraft/firefox/edge
secrets:get:project/taskcluster/gecko/hgfingerprint
I'm sure a lot of this can be simplified with role inheritance, but this is the general idea. Aki, do the signing scopes afforded the generic actions seem OK?
Flags: needinfo?(aki)
Comment 11•7 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #10)
> Aki, do the signing scopes afforded the generic actions
> seem OK?
Yes. the :format: isn't sensitive at the moment, only :cert:, and we appear to be limiting nightly to generic level 3 and release to release promotion level 3. Sounds right. I looked at the other scriptworker scopes; those appear correct as well.
Will these scopes be editable via roles like they are today? They're closer to being stable than they were a couple quarters ago, but they still may be in flux.
Flags: needinfo?(aki)
Assignee | ||
Comment 12•7 years ago
|
||
Yes, I'll reflect all of this into roles. I haven't quite figured out how just yet, but that's the next step :)
Assignee | ||
Comment 13•7 years ago
|
||
Ah, I think I see the conceptual distinction here: the generic action corresponds to anything that a push might do -- retriggers, add tasks, etc. Where an action requires scopes that are not available for a "regular" push, it will need its own hook. That maps nicely to relpromo, cancellation, purging caches, and nightlies.
Assignee | ||
Comment 14•7 years ago
|
||
With that in mind, the proposed arrangement of roles is this:
mozilla-group:active_scm_level_N is changed from assume:repo:.. for each repo at level N to:
hooks:trigger-hook:project-releng/gecko-action-N-generic
hooks:trigger-hook:project-releng/gecko-action-N-purge-cache
hooks:trigger-hook:project-releng/gecko-action-N-cancel-all
(and any other actions afforded to everyone at that level).
mozilla-group:releng (and relman?) gets
hooks:trigger-hook:project-releng/gecko-action-{1,2,3}-relpromo
That *dramatically* reduces the set of scopes that users have. It does mean that we need to implement loaners as an action.
---
We currently use roles
repo:hg.mozilla.org/<repo>:push -- for pushes
repo:hg.mozilla.org/<repo>:cron:<crontask> -- for cronjobs
and in fact we define scopes that should be available to all jobs on that repo in role repo:hg.mozilla.org/<repo>:*. That currently has some "scary" scopes in it, and per comment 13 those scopes should not be available to a decision task that results from a push. Some of them are already in ..:cron:nightly.
We will add roles
repo:hg.mozilla.org/<repo>:action:<actionPerm>
which have the "scary" scopes required to accomplish any particular action. This role will automatically inherit the non-scary ...:* scopes, allowing create-task and so on. I'll define `actionPerm` as the permission needed for an action: either the action name, or "generic" for actions that can use generic permissions.
These roles will use some utility roles under project:releng, such as project:releng:action:level-3:relpromo:<proj>.
Note that there's probably no reason to define role ...:action:generic explicitly, as it should have no more scopes than ...:*.
---
Hooks run with a `hook-id` role, so we'll define some roles as follows:
hook-id:project-releng/gecko-action-1-generic:
assume:hg.mozilla.org:<repo>:action:generic for all level-1 <repo>
hook-id:project-releng/gecko-action-1-purge-cache:
assume:hg.mozilla.org:<repo>:action:purge-cache for all level-1 <repo>
hook-id:project-releng/gecko-action-2-generic:
assume:hg.mozilla.org:<repo>:action:generic for all level-2 <repo>
hook-id:project-releng/gecko-action-3-generic:
assume:hg.mozilla.org:<repo>:action:generic for all level-3 <repo>
hook-id:project-releng/gecko-action-3-relpromo:
assume:hg.mozilla.org:<repo>:action:relpromo for all level-3 <repo>
etc.
Comment 15•7 years ago
|
||
I think it probably makes sense for the hooks and scopes to be under something like `project-gecko`, so that thunderbird can use `project-comm` for the equivalent scopes there.
Assignee | ||
Comment 16•7 years ago
|
||
A few open questions (other than "will this work?")
@tomprince:
Will this work acceptibly with suitable s/gecko/comm/? IIRC that substitution doesn't work everywhere, and IIRC you would like to change gecko -> firefox, too. Perhaps we should do some cleanup along those lines first?
@bstack:
I see there is a loaner action already, but Treeherder still implements that with a link to https://tools.taskcluster.net/one-click-loaner/#taskId. Was there a blocker to changing that to use an action?
Comment 17•7 years ago
|
||
I don't remember why exactly. It might've just been that we didn't bother to port it. Also might have something to do with windows/linux/osx but that doesn't make much sense to me right now.
Assignee | ||
Comment 18•7 years ago
|
||
I created project "gecko" and i'll use that in place of "releng".
By the way, I should have written ":branch:default" instead of ":push" above.
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 19•7 years ago
|
||
Comment 21•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/taskcluster-docs
https://github.com/taskcluster/taskcluster-docs/commit/b421e6504d0883897ef0dd70c4a90c262230dc12
Bug 1415868 - refactor actions doc to allow multiple kinds
This moves some of the more verbose schema descriptions out into the
manual, leaving the schema quite a bit shorter. It will get longer when
a new kind is added!
https://github.com/taskcluster/taskcluster-docs/commit/6c9e7b431a22b1220e632528c1e45931d0fa5ccf
Bug 1415868 - document kind=hook
https://github.com/taskcluster/taskcluster-docs/commit/5e6625c6fe04df027d9a7152d14cc0586314dcf9
Bug 1415868 - add a section on choosing a kind, security concerns
https://github.com/taskcluster/taskcluster-docs/commit/53c748bf64535afcb138ffe9468a9ca1538242e6
Bug 1415868 - refactor docs based on review comments
https://github.com/taskcluster/taskcluster-docs/commit/b4b6d0e9ca39c7f47b7e32ab18ba6c879432544e
Merge pull request #250 from djmitche/bug1415868
Bug 1415868 - docs for actions with kind=hook
Assignee | ||
Comment 22•7 years ago
|
||
I just created hook `project-gecko/in-tree-action-1-generic` to try things out (using tc-admin)
Assignee | ||
Comment 23•7 years ago
|
||
And that successfully retriggered a task!
https://tools.taskcluster.net/groups/LU9AvBDuR9uDHKACyXOoIQ/tasks/LU9AvBDuR9uDHKACyXOoIQ/runs/0/logs/public%2Flogs%2Flive.log
So the issue here is that the total number of inputs to turn a generic "run an action" hook and an actual task definition is pretty huge:
https://gist.github.com/djmitche/b338559f8e1eae35e3e36a30f00759ed/ea2eb8167223d4e86bd51f27b61bd4e271054051#file-test-payload-yml
that divides into two parts:
1. information that the decision task "bakes in" to actions.json:
action
push
repository
callback
parameters
2. information from the UI
input
task
taskId
taskGroupId
ownTaskId (bug 1455697)
Currently I'm providing that all as the trigger payload, but part 1 still needs to come from the decision task. The only way I see to do that is to provide it in the schema, including the data as default values. It might even be nice if the schema enforced those values, but that likely requires including all of that data *twice* in the schema.
Jonas, as schema expert, what are your thoughts?
The other issue is that the action task definition is currently based on .taskcluster.yml, so generating it in tc-admin is a bit of an awkward fit. The result is a {$let: .., in: <task from .taskcluster.yml>} structure. We can potentially duplicate that, if it's useful. Ideally the action tasks created by a hook should still be verify-able by CoTv2. This redoubles my conviction that all of this runtime configuration (hooks, roles, etc.) should be done in-tree..
Aki, in CoTv2, to validate an action, are you taking the action from actions.json and supplying its inputs? Or going all the way back to .taskcluster.yml and supplying the full set?
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(jopsen)
Flags: needinfo?(aki)
Comment 24•7 years ago
|
||
Looks like we're using actions.json: https://github.com/mozilla-releng/scriptworker/blob/master/scriptworker/cot/verify.py#L1243-L1247
Flags: needinfo?(aki)
Assignee | ||
Comment 25•7 years ago
|
||
It seems I forgot (despite an admonition to the contrary in the docs, that I wrote!) that there are two JSON-e parameterizations here. So I think this doesn't require schema defaults.
Assignee | ||
Comment 26•7 years ago
|
||
The purge-caches implementation trusts the `task` input, pulling the things to purge from there:
https://dxr.mozilla.org/mozilla-central/source/taskcluster/taskgraph/actions/purge_caches.py
def purge_caches_action(parameters, input, task_group_id, task_id, task):
if task['payload'].get('cache'):
for cache in task['payload']['cache']:
purge_cache(task['provisionerId'], task['workerType'], cache, use_proxy=True)
else:
logger.info('Task has no caches. Will not clear anything!')
I think this is OK -- purging caches is hardly dangerous -- but for other hooks it might be problematic. The task definition (and parameters) is also quite large, and often unnecessary. Perhaps it would be better to omit it for type=hook actions, and require the action implementations to fetch them if needed? That would probably be best accomplished in a follow-up. What do you think, Jonas?
Comment 27•7 years ago
|
||
Would something like how cron hooks work make sense? That is, there is a fairly simple (and standardized) task definition. And then that calls code in-tree to generate an action task based on the in-tree `.taskcluster.yml`?
Assignee | ||
Comment 28•7 years ago
|
||
For the issue in comment 26, no -- we can easily add some utility functions that will fetch a task or the decision task's parameters without requiring execution of a second task.
And in general, I want to avoid that, as it will delay an already fairly slow process by requiring another round of task create-claim-start-execute-resolve.
Assignee | ||
Comment 29•7 years ago
|
||
I have a bunch of patches that can land together now, and set things up to use hooks as actions, but do not actually convert the actions. Treeherder still needs to be updated before we can do that.
https://github.com/taskcluster/taskcluster-admin/pull/20 -- this has already been applied in production, so hopefully it's OK
https://github.com/taskcluster/taskcluster-tools/pull/525 -- this was *way* easier than I expected!
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 35•7 years ago
|
||
mozreview-review |
Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;
https://reviewboard.mozilla.org/r/239826/#review245532
::: .taskcluster.yml:74
(Diff revision 1)
> scopes:
> $if: 'tasks_for == "hg-push"'
> then:
> - 'assume:repo:${repoUrl[8:]}:branch:default'
> - 'queue:route:notify.email.${ownerEmail}.*'
> + - 'in-tree:hook-action:project-gecko/in-tree-action-${repository.level}-*'
@tomprince: I suspect we can s/gecko/comm/ in comm's `/.taskcluster.yml`, right?
Assignee | ||
Comment 36•7 years ago
|
||
hassan, any chance I could lean on you to make changes equivalent to https://github.com/taskcluster/taskcluster-tools/pull/525 in treeherder? That's based off of https://docs.taskcluster.net/manual/using/actions/spec and https://docs.taskcluster.net/manual/using/actions/ui.
Flags: needinfo?(jopsen) → needinfo?(helfi92)
Comment 38•7 years ago
|
||
mozreview-review |
Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';
https://reviewboard.mozilla.org/r/239820/#review245808
It would be nice if the new command either didn't take, or handled, all the options it can be given (`--json`/`--lables`, `--fast`, `--task-regex`, `--no-optimize`).
Attachment #8971062 -
Flags: review?(mozilla) → review+
Comment 39•7 years ago
|
||
mozreview-review |
Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;
https://reviewboard.mozilla.org/r/239822/#review245810
::: taskcluster/taskgraph/actions/registry.py:247
(Diff revision 1)
> # functions to populate the action registry.
> actions_dir = os.path.dirname(__file__)
> for f in os.listdir(actions_dir):
> if f.endswith('.py') and f not in ('__init__.py', 'registry.py', 'util.py'):
> __import__('taskgraph.actions.' + f[:-3])
> - if f.endswith('.yml'):
> + # TODO: support loaners through a hook
It seems unlikely that the code for supporting a loaner will go here, so it would be better to turn this in to a bug, and not leave a comment here.
Attachment #8971063 -
Flags: review?(mozilla) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 45•7 years ago
|
||
mozreview-review |
Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;
https://reviewboard.mozilla.org/r/239824/#review245844
This looks good, but it migt need to change to match changes requested in https://github.com/taskcluster/taskcluster-admin/pull/20
::: taskcluster/taskgraph/actions/registry.py:163
(Diff revision 1)
> + 'name': name,
> + 'title': title,
> + 'description': description,
> + 'taskGroupId': task_group_id,
> + 'repo_scope': repo_scope,
> + 'cb_name': cb.__name__,
Given the security concerns, does this even want to be included in hook actions? My feeling is not.
::: taskcluster/taskgraph/actions/registry.py:226
(Diff revision 1)
> + 'taskGroupId': {'$eval': 'taskGroupId'},
> + }
> },
> - 'in': taskcluster_yml['tasks'][0]
> }
> + rv['name'] = name
nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it.
Attachment #8971064 -
Flags: review?(mozilla) → review+
Assignee | ||
Comment 46•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;
https://reviewboard.mozilla.org/r/239824/#review245844
> Given the security concerns, does this even want to be included in hook actions? My feeling is not.
For generic actions (actionPerm='generic') it does need to be here. For the non-generic, its value has to be "forced" whether it's present in the payload or not.
> nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it.
I like that..
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 50•7 years ago
|
||
Commit pushed to master at https://github.com/taskcluster/taskcluster-tools
https://github.com/taskcluster/taskcluster-tools/commit/f950c71c5a6f44f434f58f617f3c222bd4812bb6
Bug 1415868 - support actions with kind=hook (#525)
Assignee | ||
Comment 51•7 years ago
|
||
Comment 52•7 years ago
|
||
Comment 53•7 years ago
|
||
mozreview-review |
Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';
https://reviewboard.mozilla.org/r/239820/#review246632
Attachment #8971062 -
Flags: review?(jopsen) → review+
Comment 54•7 years ago
|
||
mozreview-review |
Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;
https://reviewboard.mozilla.org/r/239822/#review246634
::: commit-message-d59da:9
(Diff revision 2)
> +so this mode of action definition will not be possible. This is not currently
> +used from Treeherder (it links to
> +https://tools.taskcluster.net/tasks/<taskid>/interactive instead)
> +
> +This drops support for the JSON-e-only interactive action; that action is not
> +currently used from treeherder, so that should have no impact for users.
It is present in treeherder, you just have to digg into the actions menu... that well hidden.
I'll agree it probably won't affect users.
But the plan was for TH to remove the link to:
`tools.taskcluster.net/tasks/<taskid>/interactive`
and exclusively use this.
This will move that one step backwards.
And it won't provide an alternative action.
I could be wrong, and I'm not sure we should block on this. Just that at-least we should be aware.
Assignee | ||
Comment 55•7 years ago
|
||
Think of it as avoiding having to re-implement something because the old version wasn't already in production. It will eventually be implemented with a hook-based in-tree action.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8971063 -
Flags: review?(jopsen)
Attachment #8972298 -
Flags: review?(mozilla)
Attachment #8972298 -
Flags: review?(jopsen)
Assignee | ||
Comment 62•7 years ago
|
||
OK, new round of reviews is up. Here are my notes from previous reviews and our conversation last week:
* [DONE] add detail to hooks' triggerSchema to indiciate specific keys in action, push, and repository
* [DONE] don't include repo_scope in the hookPayload (and don't generate it in the in-tree code)
* [DONE] Rework these overrides to be a little clearer that we either take the given value, or force it, and why (with some comments).
* [DONE] Merge action.foo properties individually, raher than dict merge
* [ALREADY THE CASE] Advise to keep data provided to hooks.triggerHook as small as possible - that's the trust boundary, so probably not the task
* [DONE] Just drop the `task` field in the spec
* [DONE] docs/spec: ownTaskId not included for hooks
* [DONE] use taskId from hooks service
* [DONE] Pull tc.yml from comm-central for comm-central trustdomain
Comment 63•7 years ago
|
||
mozreview-review |
Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;
https://reviewboard.mozilla.org/r/239826/#review246716
Attachment #8971065 -
Flags: review?(mozilla) → review+
Comment 64•7 years ago
|
||
mozreview-review |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review246724
::: .taskcluster.yml:112
(Diff revision 1)
> - $if: 'tasks_for == "action"'
> then:
> ACTION_TASK_GROUP_ID: '${ownTaskId}'
> ACTION_TASK_ID: {$json: {$eval: 'taskId'}}
> + # note that this is always NULL for actions with kind=hook
> ACTION_TASK: {$json: {$eval: 'task'}}
Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.
We can move that into just the actions that need that later.
Assignee | ||
Comment 65•7 years ago
|
||
> Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.
Just to be clear you're suggesting fetching the task with `queue.task(..)`?
Comment 66•7 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #65)
> > Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.
>
> Just to be clear you're suggesting fetching the task with `queue.task(..)`?
Presumably `taskgraph.util.taskcluster.get_task_definition`. So, yes?
Comment 67•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/taskcluster-docs
https://github.com/taskcluster/taskcluster-docs/commit/b9b9233b09e27cc5606f628e640c6550ae6f25f7
Bug 1415868 - ownTaskId and task are not provided for kind=hook
(with some minor formatting fixes)
https://github.com/taskcluster/taskcluster-docs/commit/cd8f6317eb3edb06a33ca3db24fe0b6532981e9b
Merge pull request #255 from djmitche/bug1415868-b
Bug 1415868 - ownTaskId and task are not provided for kind=hook
Comment 68•7 years ago
|
||
mozreview-review |
Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;
https://reviewboard.mozilla.org/r/239822/#review246778
Attachment #8971063 -
Flags: review+
Comment 69•7 years ago
|
||
mozreview-review |
Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;
https://reviewboard.mozilla.org/r/239824/#review246780
Attachment #8971064 -
Flags: review?(jopsen) → review+
Comment 70•7 years ago
|
||
mozreview-review |
Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;
https://reviewboard.mozilla.org/r/239826/#review246782
Attachment #8971065 -
Flags: review?(jopsen) → review+
Comment 71•7 years ago
|
||
mozreview-review |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review246788
::: .taskcluster.yml:112
(Diff revision 1)
> - $if: 'tasks_for == "action"'
> then:
> ACTION_TASK_GROUP_ID: '${ownTaskId}'
> ACTION_TASK_ID: {$json: {$eval: 'taskId'}}
> + # note that this is always NULL for actions with kind=hook
> ACTION_TASK: {$json: {$eval: 'task'}}
What tomprince said :)
Attachment #8972298 -
Flags: review?(jopsen) → review+
Assignee | ||
Comment 72•7 years ago
|
||
Comment hidden (mozreview-request) |
Assignee | ||
Comment 74•7 years ago
|
||
I've tested both kind=hook and kind=task actions on the above try push. The hooks in place are based on .taskcluster.yml from that try push. Everything seems to work.
Next steps:
- r+ on the last patch
- land this (but not the DO NOT LAND patch)
- sort out how to verify this with CoTv2
(note that just landing the attached patches won't result in any kind=hook actions being run, so this can wait)
- uplift graph-config stuff (tomprince)
- uplift this as far as possible (hopefully to esr52)
- start porting actions to use kind=hook
Comment 75•7 years ago
|
||
mozreview-review |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review246806
Attachment #8972298 -
Flags: review?(mozilla) → review+
Comment 76•7 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #72)
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=d7665b9f894a550d83cfa1bc9ce01fedd11950c6
`verify_cot --task-type action --cleanup -- RUSih0YTT1uhfyKyiuNmXA` passes cotv2.
Assignee | ||
Comment 77•7 years ago
|
||
Aki and I chatted. At the moment, we're not sure how that verify worked, but Aki is looking into it.
My understanding of the way we'd like CoT verification to work is that CoT determines the inputs to .taskcluster.yml that would have generated this action, renders with JSON-e, and compares the result.
That necessitates having .taskcluster.yml and the hook object's task template match (the template surrounds the .taskcluster.yml content with a {$let: .., in: ..} but otherwise includes it verbatim). To accomplish that, Aki suggested hashing `.taskcluster.yml` and including the hash (or a prefix of it) in the hookId.
Then the challenge is just to run the script to create hooks before they're needed. We could accomplish that with a task that runs on push that verifies the hook exists and, if not, suggests running the script. The script will need elevated privs, so we would rather not have it run automatically!
Comment 78•7 years ago
|
||
Ah, looks like I missed this line in the logs: 2018-05-03T11:27:54 WARNING - DEPRECATED_DECISION_TASK RUSih0YTT1uhfyKyiuNmXA while verifying task RUSih0YTT1uhfyKyiuNmXA
which means it failed back to cotv1. I need to add support for .taskcluster.yml usage for actions as well. Is there going to be some flag I can look for to toggle this behavior? No matter how tightly we couple the landing + rollout of a new scriptworker, I imagine there will be some old behavior somewhere.
Comment 79•7 years ago
|
||
Attempts at getting `verify_cot --task-type action --min-cot-version 2 --cleanup RUSih0YTT1uhfyKyiuNmXA` are here [1], not yet successful. Ideally we get both current and new-style actions passing.
[1] https://github.com/escapewindow/scriptworker/commits/action-hook-cot
Comment 80•7 years ago
|
||
mozreview-review |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review248340
::: taskcluster/mach_commands.py
(Diff revision 2)
> root = options['root']
>
> return taskgraph.actions.trigger_action_callback(
> task_group_id=task_group_id,
> task_id=task_id,
> - task=task,
I think this will break cot verification of action tasks until bug 1459705 is fixed.
Assignee | ||
Comment 81•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review248340
> I think this will break cot verification of action tasks until bug 1459705 is fixed.
It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task. Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json. But CoTv2 is verifying action tasks against actions.json, so that will still match. Have I missed something?
Comment 82•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK
https://reviewboard.mozilla.org/r/240960/#review248340
> It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task. Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json. But CoTv2 is verifying action tasks against actions.json, so that will still match. Have I missed something?
If actions.json is unchanged, then I think we're good. If we remove the task json from actions.json as we did in the try push, then cot will break.
Assignee | ||
Comment 83•7 years ago
|
||
Well, actions.json is changed, but still contains a task definition. It was only the retrigger action, and only on that try push, that had kind=hook. That's in the "DO NOT MERGE" revision :)
Comment 84•7 years ago
|
||
Cool, good to hear. I'll try to get the hook cot verification in soon.
Comment 85•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/treeherder
https://github.com/mozilla/treeherder/commit/85766e2787ec6420b49f986a37f6039067262093
Bug 1415868 - Use hooks for actions (#3502)
* Add hooks for actions
* Remove task from context for kind == hook
Also display hookGroupId/hookId for kind=hook
in the modal.
* Move taskcluster-lib-scopes to the vendor chunk
Comment 86•7 years ago
|
||
(In reply to Aki Sasaki [:aki] from comment #84)
> Cool, good to hear. I'll try to get the hook cot verification in soon.
Status: https://bugzilla.mozilla.org/show_bug.cgi?id=1459705#c2
Could we address the `repo_scope` pre-population and kind=hook taskGroupId bustage? Once we have those fixed, I can remove those hardcoded hacks from cotv3.
Assignee | ||
Comment 87•6 years ago
|
||
I'm going to try to get this landed on Monday, without the DO NOT MERGE part. Today seems risky :)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 95•6 years ago
|
||
Assignee | ||
Comment 96•6 years ago
|
||
OK, https://tools.taskcluster.net/tasks/NdzxKw8bS5Sw5DRhoiM14w is the result of a retrigger on the try push with the latest patch applied (and having run tcadmin to update the hook defs)
The hook payload (copying from the 'Params' tab in devtools kinda stinks..):
decision {…}
action {…}
cb_name retrigger_action
description Create a clone of the task.
name retrigger
symbol rt
taskGroupId c5nn2xbNS9mJxeVC0uNElg
title Retrigger
parameters {…}
app_version 62.0a1
base_repository https://hg.mozilla.org/mozilla-unified
build_date 1526682222
build_number 1
do_not_optimize {}
existing_tasks {}
filters {…}
0 check_servo
1 target_tasks_method
head_ref f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
head_repository https://hg.mozilla.org/try
head_rev f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
include_nightly true
level 1
message
moz_build_date 20180518222342
next_version null
optimize_target_tasks false
owner dmitchell@mozilla.com
project try
pushdate 1526682222
pushlog_id 272718
release_enable_emefree false
release_enable_partners false
release_eta
release_history {}
release_partner_build_number 1
release_partner_config {}
release_partners {}
release_product null
release_type
target_tasks_method try_tasks
try_mode try_task_config
try_options null
try_task_config {…}
tasks {…}
version 62.0a1
push {…}
owner mozilla-taskcluster-maintenance@mozilla.com
pushlog_id 272718
revision f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
repository {…}
level 1
project try
url https://hg.mozilla.org/try
user {…}
input {…}
downstream false
times 1
taskGroupId c5nn2xbNS9mJxeVC0uNElg
taskId H1mVqFQbS3Sqwo5tWMLtYw
but more importantly, in the resulting task:
"ACTION_TASK_GROUP_ID": "c5nn2xbNS9mJxeVC0uNElg",
So that seems to be fixed. I remain cautiously optimistic that this has been breaking the cancel_all action for a long time.
Comment 97•6 years ago
|
||
mozreview-review |
Comment on attachment 8977124 [details]
Bug 1415868 - change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task;
https://reviewboard.mozilla.org/r/245208/#review251206
Thanks!
Attachment #8977124 -
Flags: review?(aki) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•6 years ago
|
Attachment #8971066 -
Attachment is obsolete: true
Comment 100•6 years ago
|
||
Pushed by dmitchell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7637618d3bd2
add 'mach taskgraph actions'; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/2c95df49455b
Remove support for register_action_task; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/a891a10ca4d9
add support for defining actions with kind=hook; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/4cbd35f87289
include in-tree:hook-action:..{level}-* in decision task scopes; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/e2931d904975
remove ACTION_TASK r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/d4643b526038
change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task; r=aki
Assignee | ||
Comment 101•6 years ago
|
||
Assuming that sticks, next steps are:
- finish CoT work
- add hash to hookIds
- convert all actions to hooks
- convert anything treeherder is still doing "manually" to a hook
- convert anything tools is still doing "manually" to a hook
- remove scopes from active_scm_level_L roles
Keywords: leave-open
Comment 102•6 years ago
|
||
Sorry for catching this late - you've changed ACTION_TASK_GROUP_ID to c5nn2xbNS9mJxeVC0uNElg, but the taskGroupId of the task hasn't changed to c5nn2xbNS9mJxeVC0uNElg; it's NdzxKw8bS5Sw5DRhoiM14w, which is the action task's taskId. Can we fix that?
Assignee | ||
Comment 103•6 years ago
|
||
Comment 104•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7637618d3bd2
https://hg.mozilla.org/mozilla-central/rev/2c95df49455b
https://hg.mozilla.org/mozilla-central/rev/a891a10ca4d9
https://hg.mozilla.org/mozilla-central/rev/4cbd35f87289
https://hg.mozilla.org/mozilla-central/rev/e2931d904975
https://hg.mozilla.org/mozilla-central/rev/d4643b526038
Assignee | ||
Comment 105•6 years ago
|
||
- [DONE (aki)] finish CoT work
- [DONE] add hash to hookIds
- convert all actions to hooks
- convert anything treeherder is still doing "manually" to a hook
- convert anything tools is still doing "manually" to a hook
- remove scopes from active_scm_level_L roles
Comment 106•6 years ago
|
||
This makes it consistent with everywhere else in `.taskcluster.yml` where we
refer to the action task group.
Updated•6 years ago
|
Attachment #8986246 -
Attachment is obsolete: true
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 109•6 years ago
|
||
mozreview-review |
Comment on attachment 8986661 [details]
Bug 1415868 - fix test-action-callback after rev e2931d904975,
https://reviewboard.mozilla.org/r/251968/#review258554
Attachment #8986661 -
Flags: review?(dustin) → review+
Comment 110•6 years ago
|
||
Pushed by nthomas@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cea130a07d08
fix test-action-callback after rev e2931d904975, r=dustin
Comment 111•6 years ago
|
||
bugherder |
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 113•6 years ago
|
||
This is still waiting on a production deploy of treeherder. Hopefully soon!!!
Comment 114•6 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #113)
> This is still waiting on a production deploy of treeherder. Hopefully
> soon!!!
Is that deployment tracked in a bug?
Assignee | ||
Comment 115•6 years ago
|
||
Assignee | ||
Comment 116•6 years ago
|
||
I'm not going to lie, I'm pretty confused about this bug. I *think* all of the code is landed, and all that remains is to start turning on `kind="hook"` for actions. Once that sticks, this is basically done and I can start working on reducing user scopes.
Assignee | ||
Comment 117•6 years ago
|
||
Ah, that is landed in bug 1470621 and happily has spread quite widely already. All that remains is relpromo (bug 1485680) and that's not a hard blocker on progress here.
Assignee | ||
Comment 118•6 years ago
|
||
Let's leave the relpromo work to its own bug, and close this -- we're substantially using hooks now and all that remains is clean-up.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Keywords: leave-open
Updated•6 years ago
|
Component: Hooks → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•