I chatted with Marco regarding the need: the code-review bot has to add new jobs. Therefore, the only action in actions.json[1] it should need is `add-new-jobs`. I was originally concerned by the fact release promotion can be triggered by the bot since it's present in actions.json. That said it's the only action that has its own permission. I guess that explains why it has its own dedicated scope[3]. Although, I noticed `in-tree-action-3-cancel-all/*`[4] exists while being part of the `generic` pool. So, I looked at the available `in-tree-action` hooks[5] and saw some of them exist, but not all. Therefore my questions are the following: should we create a dedicated hook so the bot has access to what is strictly needs? If so, how should we do it? What do you think, Tom? In the meantime, I put a patch to grant `generic`. This way, Marco is unblocked. [1] For instance https://firefoxci.taskcluster-artifacts.net/AuvjhJ_1SG-jH-xtFOlJlw/0/public/actions.json [2] Seach for "actionPerm" in [1] => see everything is `generic` but `release-promotion` [3] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1645 [4] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1630 [5] https://firefox-ci-tc.services.mozilla.com/hooks?search=in-tree-action-
Bug 1599236 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I chatted with Marco regarding the need: the code-review bot has to add new jobs. Therefore, the only action in actions.json[1] it should need is `add-new-jobs`. I was originally concerned by the fact release promotion can be triggered by the bot since it's present in actions.json. That said it's the only action that has its own permission. I guess that explains why it has its own dedicated scope[3]. Although, I noticed `in-tree-action-3-cancel-all/*`[4] exists while being part of the `generic` pool. So, I looked at the available `in-tree-action` hooks[5] and saw some of them exist, but not all. Therefore my questions are the following: should we create a dedicated hook so the bot has access to what it strictly needs? If so, how should we do it? What do you think, Tom? In the meantime, I put a patch to grant `generic`. This way, Marco is unblocked. [1] For instance https://firefoxci.taskcluster-artifacts.net/AuvjhJ_1SG-jH-xtFOlJlw/0/public/actions.json [2] Seach for "actionPerm" in [1] => see everything is `generic` but `release-promotion` [3] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1645 [4] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1630 [5] https://firefox-ci-tc.services.mozilla.com/hooks?search=in-tree-action-