1415868 - Use hooks for actions

Status: RESOLVED FIXED

(Taskcluster :: Services, enhancement)

Description

[Greg Arndt [:garndt]]

Currently to perform any in-tree defined action from treeherder the user must possess the scopes necessary to execute a decision task on that branch, which is often tied to one of the ldap scm level groups.

Once parameterized hooks are implemented, it should be possible to wrap actions by a hook and call it with a few well defined parameters that can be validated and sanitized allowing users to trigger the action but not directly modify the tasks that would run nor need more privileged scopes.

Comment 1

[Dustin J. Mitchell [:dustin] (he/him)]

This allows us to assign arbitrary scopes to an action.  The hooks-related pieces of this are in place, so I need to figure out the rest and parcel out the work.

Comment 2

[Dustin J. Mitchell [:dustin] (he/him)]

The question I'm working on is, how many hooks should we create?

The maximum would be one hook per action, per project.  Or one hook per action, per level.  In either of these cases, creating a new action requires creating a new hook, which erodes the self-serve nature of actions.  We like self-serve.

At the other end, we could just make one hook per level.  But that gets us no benefit in terms of limiting access (everyone would have scopes to run those hooks, thus to run any action) and doesn't allow any schema-based limitations of action context.

I think the middle ground is this:
 - define a generic hook for each level with limited scopes and minimal schema restrictions on its context, but which anyone with commit access to that level can trigger.  This is basically the same as our current actions, but with more limited scopes.
 - for specific actions that require additional privileges, create specific hooks.  These will have names generated in-tree (e.g., containing project name, level, action name, etc.) and some combination of
   - more-restrictive trigger schemas
   - more scopes granted to the hook
   - fewer people having the hooks:trigger-hook:<hook-name> scope

For example, to enable loaners at high priority, we might define a per-level hook with elevated scopes and a restricted trigger schema, but that is still available to everyone at the appropriate level.

Release promotion would have lots of extra scopes, but a very restrictive trigger schema and only be available to a small group of people.

---

OK, so that's pretty flexible, but now how do I manage the complexity?  In the near term, I think I'll do this with some taskcluster-admin scripts and some hacky command in-tree to export the list of expected hooks.  In the longer term, I think this is a great use-case for bug 1381870.

Comment 3

[Dustin J. Mitchell [:dustin] (he/him)]

Brian, I'm curious if you see something I've missed here, or if I'm over-complicating this..

Comment 4

[Brian Stack [:bstack]]

I'm sorta wondering if we need the generic hook for each level at all? Couldn't those be normal actions? Otherwise this seems reasonable.

Comment 5

[Dustin J. Mitchell [:dustin] (he/him)]

I think even the "generic" level of scopes (queue:create-task:blahblah, etc.) is something we want to remove from users' day-to-day credentials.  But the consequent lack of schema validation does concern me.

Comment 6

[Dustin J. Mitchell [:dustin] (he/him)]

Per some discussion today, I'm going to find some way to list frequently used action tasks and the scopes they require.  Then I'll use that to propose what scopes should be included in "generic" actions, and what should require action-specific hooks.

Comment 7

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: action-taskids

The 3482 successful action tasks I can find in the index..

Comment 8

[Dustin J. Mitchell [:dustin] (he/him)]

And, here are the scopes used, per level:

*** level 1:
assume:repo:hg.mozilla.org/try:*
assume:repo:hg.mozilla.org/try:branch:default
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
*** level 2:
*** level 3:
assume:repo:hg.mozilla.org/integration/autoland:*
assume:repo:hg.mozilla.org/integration/autoland:branch:default
assume:repo:hg.mozilla.org/integration/mozilla-inbound:*
assume:repo:hg.mozilla.org/integration/mozilla-inbound:branch:default
assume:repo:hg.mozilla.org/mozilla-central:*
assume:repo:hg.mozilla.org/mozilla-central:branch:default
assume:repo:hg.mozilla.org/releases/mozilla-beta:*
assume:repo:hg.mozilla.org/releases/mozilla-beta:branch:default
assume:repo:hg.mozilla.org/releases/mozilla-release:*
assume:repo:hg.mozilla.org/releases/mozilla-release:branch:default
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:route:index.gecko.v2.autoland.pushlog-id.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.pushlog-id.*
queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3

Of course, that doesn't really help -- those assume:repo:.. roles are precisely the roles that are too broad.  So I'll need to break that down by looking at the tasks those action tasks created.

Comment 9

[Dustin J. Mitchell [:dustin] (he/him)]

OK, a better analysis.  This includes scopes for all tasks created by the action, as well as the action's own scopes.

*** action run_missing_tests at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:signing:cert:dep-signing
project:releng:signing:format:sha2signcode
project:releng:signing:format:widevine
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action backfill_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:signing:cert:nightly-signing
project:releng:signing:format:sha2signcode
project:releng:signing:format:widevine
queue:create-task:high:releng-hardware/gecko-t-osx-1010
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action add_new_jobs_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-imagebuilder-*
docker-worker:cache:level-1-tooltool-*
docker-worker:cache:level-1-try-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-large
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux-xlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-xxlarge
queue:create-task:very-low:aws-provisioner-v1/gecko-1-images
queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-linux-talos
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.cache.level-1.docker-images.*
queue:route:index.gecko.cache.level-1.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action retrigger_action_in_new_group at level 1:
docker-worker:cache:level-1-checkouts-*
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action add_new_jobs_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-imagebuilder-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-3-images
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-3-images
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.docker-images.*
queue:route:index.gecko.cache.level-3.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action cancel_all_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1

*** action release_promotion_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-tooltool-*
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.try.*
project:releng:balrog:channel:aurora
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:esr
project:releng:balrog:channel:esr-cdntest
project:releng:balrog:channel:esr-localtest
project:releng:balrog:channel:nightly
project:releng:balrog:channel:nightly-old-id
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:dep
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:bucket:dep
project:releng:buildbot-bridge:builder-name:release-try*
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-android
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:scriptworker-prov-v1/balrog-dev
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.*
queue:route:index.releases.v1.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action purge_caches_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1

*** action release_promotion_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-beta-*
docker-worker:cache:level-3-mozilla-release-*
docker-worker:cache:level-3-tooltool-*
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.mozilla-beta.*
index:insert-task:gecko.v2.mozilla-release.*
project:releng:balrog:action:schedule
project:releng:balrog:action:submit-locale
project:releng:balrog:action:submit-toplevel
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:beta
project:releng:balrog:server:release
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:action:push-to-releases
project:releng:beetmover:bucket:release
project:releng:bouncer:action:aliases
project:releng:bouncer:action:submission
project:releng:bouncer:server:production
project:releng:buildbot-bridge:builder-name:release-mozilla-beta*
project:releng:buildbot-bridge:builder-name:release-mozilla-release*
project:releng:googleplay:beta
project:releng:googleplay:release
project:releng:ship-it:production
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:cert:release-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
project:releng:treescript:action:push
project:releng:treescript:action:tagging
project:releng:treescript:action:version_bump
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:aws-provisioner-v1/gecko-t-*
queue:create-task:high:buildbot-bridge/buildbot-bridge
queue:create-task:high:null-provisioner/human-breakpoint
queue:create-task:high:scriptworker-prov-v1/balrogworker-v1
queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:high:scriptworker-prov-v1/bouncer-v1
queue:create-task:high:scriptworker-prov-v1/depsigning
queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar
queue:create-task:high:scriptworker-prov-v1/pushapk-v1
queue:create-task:high:scriptworker-prov-v1/shipit-v1
queue:create-task:high:scriptworker-prov-v1/signing-linux-v1
queue:create-task:high:scriptworker-prov-v1/treescript-v1
queue:create-task:highest:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:highest:aws-provisioner-v1/gecko-t-*
queue:create-task:highest:buildbot-bridge/buildbot-bridge
queue:create-task:highest:null-provisioner/human-breakpoint
queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1
queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:highest:scriptworker-prov-v1/pushapk-v1
queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.*
queue:route:index.releases.v1.*
queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception
queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/datadog-api-key
secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/releng/snapcraft/firefox/candidate
secrets:get:project/releng/snapcraft/firefox/edge
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action retrigger_action at level 1:
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-imagebuilder-*
docker-worker:cache:level-1-tooltool-*
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-1-images
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:route:index.gecko.cache.level-1.docker-images.*
queue:route:index.gecko.cache.level-1.toolchains.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action mochitest_retrigger_action at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1

*** action add_all_talos at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:route:coalesce.v1.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action run_missing_tests at level 1:
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1

*** action retrigger_action at level 3:
assume:project:taskcluster:gecko:level-3-sccache-buckets
docker-worker:cache:level-3-autoland-*
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-imagebuilder-*
docker-worker:cache:level-3-mozilla-central-*
docker-worker:cache:level-3-mozilla-inbound-*
docker-worker:cache:level-3-tooltool-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:format:gpg
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:low:aws-provisioner-v1/gecko-3-b-*
queue:create-task:low:aws-provisioner-v1/gecko-3-images
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:medium:aws-provisioner-v1/gecko-3-b-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:medium:scriptworker-prov-v1/depsigning
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.docker-images.*
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** action add_all_talos at level 1:
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-checkouts-*
docker-worker:cache:level-1-tooltool-*
docker-worker:cache:level-1-try-*
docker-worker:feature:allowPtrace
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-linux
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-macosx64
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-win2012
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:route:index.gecko.v2.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/taskcluster/gecko/hgfingerprint

Comment 10

[Dustin J. Mitchell [:dustin] (he/him)]

OK, I've taken a stab at dividing the actions: cancel_all_action, purge_cache_action, and release_promotion_action have their own hooks, while everything else is considered generic.  Below is what the required scopes look like, per level.

*** generic-1
*** triggerSchema allows anything
*** active_scm_level_1 has hooks:trigger-hook:project-releng/gecko-action-generic-1
*** hook-id:project-releng/gecko-action-generic-1 has
assume:project:taskcluster:gecko:level-1-sccache-buckets
assume:project:taskcluster:level-1-sccache-buckets
docker-worker:cache:level-1-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:feature:chainOfTrust
docker-worker:feature:dind
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
purge-cache:aws-provisioner-v1/*
queue:cancel-task:gecko-level-1/*
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:very-low:aws-provisioner-v1/gecko-1-*
queue:create-task:very-low:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:releng-hardware/gecko-t-linux-talos
queue:create-task:very-low:releng-hardware/gecko-t-osx-1010
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.cache.level-1.*
queue:route:index.gecko.v2.try.latest.*
queue:route:index.gecko.v2.try.nightly.*
queue:route:index.gecko.v2.try.pushdate.*
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:index.gecko.v2.try.revision.*
queue:route:index.gecko.v2.try.signed-nightly.*
queue:route:tc-treeherder-stage.v2.try.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-docs-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** generic-3
*** triggerSchema allows anything
*** active_scm_level_3 has hooks:trigger-hook:project-releng/gecko-action-generic-3
*** hook-id:project-releng/gecko-action-generic-3 has
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
docker-worker:cache:level-3-*
docker-worker:capability:device:loopbackVideo
docker-worker:feature:allowPtrace
docker-worker:feature:chainOfTrust
docker-worker:feature:dind
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
project:releng:beetmover:action:push-to-staging
project:releng:beetmover:bucket:dep
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:format:gpg
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
purge-cache:aws-provisioner-v1/*
queue:cancel-task:gecko-level-3/*
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:releng-hardware/gecko-t-osx-1010
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:low:aws-provisioner-v1/gecko-3-*
queue:create-task:low:aws-provisioner-v1/gecko-t-*
queue:create-task:low:buildbot-bridge/buildbot-bridge
queue:create-task:low:releng-hardware/gecko-t-linux-talos
queue:create-task:low:releng-hardware/gecko-t-osx-1010
queue:create-task:low:releng-hardware/gecko-t-win10-64-hw
queue:create-task:low:scriptworker-prov-v1/depsigning
queue:create-task:medium:aws-provisioner-v1/gecko-3-*
queue:create-task:medium:aws-provisioner-v1/gecko-t-*
queue:create-task:medium:buildbot-bridge/buildbot-bridge
queue:create-task:medium:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:medium:scriptworker-prov-v1/depsigning
queue:create-task:medium:scriptworker-prov-v1/signing-linux-v1
queue:get-artifact:project/gecko/android-ndk/*
queue:get-artifact:project/gecko/android-sdk/*
queue:route:coalesce.v1.*
queue:route:index.gecko.cache.level-3.*
queue:route:index.gecko.v2.autoland.latest.*
queue:route:index.gecko.v2.autoland.nightly.*
queue:route:index.gecko.v2.autoland.pushdate.*
queue:route:index.gecko.v2.autoland.pushlog-id.*
queue:route:index.gecko.v2.autoland.revision.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.latest.*
queue:route:index.gecko.v2.mozilla-central.nightly.*
queue:route:index.gecko.v2.mozilla-central.pushdate.*
queue:route:index.gecko.v2.mozilla-central.pushlog-id.*
queue:route:index.gecko.v2.mozilla-central.revision.*
queue:route:index.gecko.v2.mozilla-central.signed-nightly.*
queue:route:index.gecko.v2.mozilla-inbound.latest.*
queue:route:index.gecko.v2.mozilla-inbound.nightly.*
queue:route:index.gecko.v2.mozilla-inbound.pushdate.*
queue:route:index.gecko.v2.mozilla-inbound.pushlog-id.*
queue:route:index.gecko.v2.mozilla-inbound.revision.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:index.gecko.v2.trunk.*
queue:route:tc-treeherder-stage.v2.autoland.*
queue:route:tc-treeherder-stage.v2.mozilla-central.*
queue:route:tc-treeherder-stage.v2.mozilla-inbound.*
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.autoland.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-central.*
queue:route:tc-treeherder.v2.mozilla-inbound.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** release_promotion_action-1
*** triggerSchema allows only limited inputs
*** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-1
    (?? not sure what this means at level 1)
*** hook-id:project-releng/gecko-action-release-promotion-1 has
assume:project:taskcluster:gecko:level-1-sccache-buckets
docker-worker:cache:level-1-*
docker-worker:feature:chainOfTrust
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.try.*
project:releng:balrog:channel:aurora
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:esr
project:releng:balrog:channel:esr-cdntest
project:releng:balrog:channel:esr-localtest
project:releng:balrog:channel:nightly
project:releng:balrog:channel:nightly-old-id
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:dep
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:bucket:dep
project:releng:buildbot-bridge:builder-name:release-try*
project:releng:signing:cert:dep-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
queue:create-task:lowest:aws-provisioner-v1/gecko-1-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:create-task:very-low:aws-provisioner-v1/gecko-1-b-*
queue:create-task:very-low:aws-provisioner-v1/gecko-t-*
queue:create-task:very-low:buildbot-bridge/buildbot-bridge
queue:create-task:very-low:scriptworker-prov-v1/balrog-dev
queue:create-task:very-low:scriptworker-prov-v1/beetmoverworker-dev
queue:create-task:very-low:scriptworker-prov-v1/depsigning
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.try.latest.*
queue:route:index.gecko.v2.try.nightly.*
queue:route:index.gecko.v2.try.pushdate.*
queue:route:index.gecko.v2.try.pushlog-id.*
queue:route:index.gecko.v2.try.revision.*
queue:route:index.gecko.v2.try.signed-nightly.*
queue:route:index.releases.v1.*
queue:route:tc-treeherder.v2.try.*
queue:scheduler-id:gecko-level-1
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-1/gecko-symbol-upload
secrets:get:project/taskcluster/gecko/hgfingerprint

*** release_promotion_action-3
*** triggerSchema allows only limited inputs
*** specific LDAP groups have hooks:trigger-hook:project-releng/gecko-action-release-promotion-3
*** hook-id:project-releng/gecko-action-release-promotion-3 has
assume:project:taskcluster:gecko:level-3-sccache-buckets
assume:project:taskcluster:level-3-sccache-buckets
auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/
docker-worker:cache:level-3-checkouts-*
docker-worker:cache:level-3-mozilla-beta-*
docker-worker:cache:level-3-mozilla-release-*
docker-worker:cache:level-3-tooltool-*
docker-worker:feature:chainOfTrust
docker-worker:feature:relengAPIProxy
docker-worker:feature:taskclusterProxy
docker-worker:image:taskclusterprivate/upload_symbols:0.0.4
docker-worker:relengapi-proxy:tooltool.download.internal
docker-worker:relengapi-proxy:tooltool.download.public
index:insert-task:gecko.v2.mozilla-beta.*
index:insert-task:gecko.v2.mozilla-release.*
project:releng:balrog:action:schedule
project:releng:balrog:action:submit-locale
project:releng:balrog:action:submit-toplevel
project:releng:balrog:channel:beta
project:releng:balrog:channel:beta-cdntest
project:releng:balrog:channel:beta-localtest
project:releng:balrog:channel:release
project:releng:balrog:channel:release-cdntest
project:releng:balrog:channel:release-localtest
project:releng:balrog:server:beta
project:releng:balrog:server:release
project:releng:beetmover:action:push-to-candidates
project:releng:beetmover:action:push-to-releases
project:releng:beetmover:bucket:release
project:releng:bouncer:action:aliases
project:releng:bouncer:action:submission
project:releng:bouncer:server:production
project:releng:buildbot-bridge:builder-name:release-mozilla-beta*
project:releng:buildbot-bridge:builder-name:release-mozilla-release*
project:releng:googleplay:beta
project:releng:googleplay:release
project:releng:ship-it:production
project:releng:signing:cert:dep-signing
project:releng:signing:cert:nightly-signing
project:releng:signing:cert:release-signing
project:releng:signing:format:gpg
project:releng:signing:format:jar
project:releng:signing:format:macapp
project:releng:signing:format:mar_sha384
project:releng:signing:format:sha2signcode
project:releng:signing:format:sha2signcodestub
project:releng:signing:format:widevine
project:releng:treescript:action:push
project:releng:treescript:action:tagging
project:releng:treescript:action:version_bump
queue:create-task:high:aws-provisioner-v1/gecko-3-b-*
queue:create-task:high:aws-provisioner-v1/gecko-t-*
queue:create-task:high:buildbot-bridge/buildbot-bridge
queue:create-task:high:null-provisioner/human-breakpoint
queue:create-task:high:scriptworker-prov-v1/balrogworker-v1
queue:create-task:high:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:high:scriptworker-prov-v1/bouncer-v1
queue:create-task:high:scriptworker-prov-v1/depsigning
queue:create-task:high:scriptworker-prov-v1/dummy-worker-transpar
queue:create-task:high:scriptworker-prov-v1/pushapk-v1
queue:create-task:high:scriptworker-prov-v1/shipit-v1
queue:create-task:high:scriptworker-prov-v1/signing-linux-v1
queue:create-task:high:scriptworker-prov-v1/treescript-v1
queue:create-task:highest:aws-provisioner-v1/gecko-3-b-*
queue:create-task:highest:aws-provisioner-v1/gecko-symbol-upload
queue:create-task:highest:aws-provisioner-v1/gecko-t-*
queue:create-task:highest:buildbot-bridge/buildbot-bridge
queue:create-task:highest:null-provisioner/human-breakpoint
queue:create-task:highest:scriptworker-prov-v1/balrogworker-v1
queue:create-task:highest:scriptworker-prov-v1/beetmoverworker-v1
queue:create-task:highest:scriptworker-prov-v1/pushapk-v1
queue:create-task:highest:scriptworker-prov-v1/signing-linux-v1
queue:create-task:lowest:aws-provisioner-v1/gecko-3-decision
queue:create-task:lowest:aws-provisioner-v1/gecko-misc
queue:get-artifact:project/gecko/android-sdk/*
queue:route:index.gecko.v2.mozilla-beta.latest.*
queue:route:index.gecko.v2.mozilla-beta.nightly.*
queue:route:index.gecko.v2.mozilla-beta.pushdate.*
queue:route:index.gecko.v2.mozilla-beta.pushlog-id.*
queue:route:index.gecko.v2.mozilla-beta.revision.*
queue:route:index.gecko.v2.mozilla-beta.signed-nightly.*
queue:route:index.gecko.v2.mozilla-release.latest.*
queue:route:index.gecko.v2.mozilla-release.nightly.*
queue:route:index.gecko.v2.mozilla-release.pushdate.*
queue:route:index.gecko.v2.mozilla-release.pushlog-id.*
queue:route:index.gecko.v2.mozilla-release.revision.*
queue:route:index.gecko.v2.mozilla-release.signed-nightly.*
queue:route:index.releases.v1.*
queue:route:notify.email.release-automation-notifications@mozilla.com.on-exception
queue:route:notify.email.release-automation-notifications@mozilla.com.on-failed
queue:route:tc-treeherder-stage.v2.mozilla-release.*
queue:route:tc-treeherder.v2.mozilla-beta.*
queue:route:tc-treeherder.v2.mozilla-release.*
queue:scheduler-id:gecko-level-3
secrets:get:project/releng/gecko/build/level-3/*
secrets:get:project/releng/gecko/build/level-3/datadog-api-key
secrets:get:project/releng/gecko/build/level-3/gecko-generated-sources-upload
secrets:get:project/releng/gecko/build/level-3/gecko-symbol-upload
secrets:get:project/releng/snapcraft/firefox/candidate
secrets:get:project/releng/snapcraft/firefox/edge
secrets:get:project/taskcluster/gecko/hgfingerprint

I'm sure a lot of this can be simplified with role inheritance, but this is the general idea.  Aki, do the signing scopes afforded the generic actions seem OK?

Comment 11

[Aki Sasaki (not active)]

(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #10)
> Aki, do the signing scopes afforded the generic actions
> seem OK?

Yes. the :format: isn't sensitive at the moment, only :cert:, and we appear to be limiting nightly to generic level 3 and release to release promotion level 3. Sounds right. I looked at the other scriptworker scopes; those appear correct as well.

Will these scopes be editable via roles like they are today? They're closer to being stable than they were a couple quarters ago, but they still may be in flux.

Comment 12

[Dustin J. Mitchell [:dustin] (he/him)]

Yes, I'll reflect all of this into roles.  I haven't quite figured out how just yet, but that's the next step :)

Comment 13

[Dustin J. Mitchell [:dustin] (he/him)]

Ah, I think I see the conceptual distinction here: the generic action corresponds to anything that a push might do -- retriggers, add tasks, etc.  Where an action requires scopes that are not available for a "regular" push, it will need its own hook.  That maps nicely to relpromo, cancellation, purging caches, and nightlies.

Comment 14

[Dustin J. Mitchell [:dustin] (he/him)]

With that in mind, the proposed arrangement of roles is this:

mozilla-group:active_scm_level_N is changed from assume:repo:.. for each repo at level N to:
 hooks:trigger-hook:project-releng/gecko-action-N-generic
 hooks:trigger-hook:project-releng/gecko-action-N-purge-cache
 hooks:trigger-hook:project-releng/gecko-action-N-cancel-all
(and any other actions afforded to everyone at that level).

mozilla-group:releng (and relman?) gets
 hooks:trigger-hook:project-releng/gecko-action-{1,2,3}-relpromo

That *dramatically* reduces the set of scopes that users have.  It does mean that we need to implement loaners as an action.

---

We currently use roles
  repo:hg.mozilla.org/<repo>:push -- for pushes
  repo:hg.mozilla.org/<repo>:cron:<crontask> -- for cronjobs
and in fact we define scopes that should be available to all jobs on that repo in role repo:hg.mozilla.org/<repo>:*.  That currently has some "scary" scopes in it, and per comment 13 those scopes should not be available to a decision task that results from a push.  Some of them are already in ..:cron:nightly.

We will add roles
  repo:hg.mozilla.org/<repo>:action:<actionPerm>
which have the "scary" scopes required to accomplish any particular action.  This role will automatically inherit the non-scary ...:* scopes, allowing create-task and so on.  I'll define `actionPerm` as the permission needed for an action: either the action name, or "generic" for actions that can use generic permissions.

These roles will use some utility roles under project:releng, such as project:releng:action:level-3:relpromo:<proj>.

Note that there's probably no reason to define role ...:action:generic explicitly, as it should have no more scopes than ...:*.

---

Hooks run with a `hook-id` role, so we'll define some roles as follows:

  hook-id:project-releng/gecko-action-1-generic:
    assume:hg.mozilla.org:<repo>:action:generic for all level-1 <repo>
  hook-id:project-releng/gecko-action-1-purge-cache:
    assume:hg.mozilla.org:<repo>:action:purge-cache for all level-1 <repo>
  hook-id:project-releng/gecko-action-2-generic:
    assume:hg.mozilla.org:<repo>:action:generic for all level-2 <repo>
  hook-id:project-releng/gecko-action-3-generic:
    assume:hg.mozilla.org:<repo>:action:generic for all level-3 <repo>
  hook-id:project-releng/gecko-action-3-relpromo:
    assume:hg.mozilla.org:<repo>:action:relpromo for all level-3 <repo>

etc.

Comment 15

[Tom Prince [:tomprince]]

I think it probably makes sense for the hooks and scopes to be under something like `project-gecko`, so that thunderbird can use `project-comm` for the equivalent scopes there.

Comment 16

[Dustin J. Mitchell [:dustin] (he/him)]

A few open questions (other than "will this work?")

@tomprince:

Will this work acceptibly with suitable s/gecko/comm/?  IIRC that substitution doesn't work everywhere, and IIRC you would like to change gecko -> firefox, too.  Perhaps we should do some cleanup along those lines first?

@bstack:

I see there is a loaner action already, but Treeherder still implements that with a link to https://tools.taskcluster.net/one-click-loaner/#taskId.  Was there a blocker to changing that to use an action?

Comment 17

[Brian Stack [:bstack]]

I don't remember why exactly. It might've just been that we didn't bother to port it. Also might have something to do with windows/linux/osx but that doesn't make much sense to me right now.

Comment 18

[Dustin J. Mitchell [:dustin] (he/him)]

I created project "gecko" and i'll use that in place of "releng".

By the way, I should have written ":branch:default" instead of ":push" above.

Comment 19

[Dustin J. Mitchell [:dustin] (he/him)]

https://github.com/taskcluster/taskcluster-docs/pull/250

Comment 21

[[github robot]]

Commits pushed to master at https://github.com/taskcluster/taskcluster-docs

https://github.com/taskcluster/taskcluster-docs/commit/b421e6504d0883897ef0dd70c4a90c262230dc12
Bug 1415868 - refactor actions doc to allow multiple kinds

This moves some of the more verbose schema descriptions out into the
manual, leaving the schema quite a bit shorter.  It will get longer when
a new kind is added!

https://github.com/taskcluster/taskcluster-docs/commit/6c9e7b431a22b1220e632528c1e45931d0fa5ccf
Bug 1415868 - document kind=hook

https://github.com/taskcluster/taskcluster-docs/commit/5e6625c6fe04df027d9a7152d14cc0586314dcf9
Bug 1415868 - add a section on choosing a kind, security concerns

https://github.com/taskcluster/taskcluster-docs/commit/53c748bf64535afcb138ffe9468a9ca1538242e6
Bug 1415868 - refactor docs based on review comments

https://github.com/taskcluster/taskcluster-docs/commit/b4b6d0e9ca39c7f47b7e32ab18ba6c879432544e
Merge pull request #250 from djmitche/bug1415868

Bug 1415868 - docs for actions with kind=hook

Comment 22

[Dustin J. Mitchell [:dustin] (he/him)]

I just created hook `project-gecko/in-tree-action-1-generic` to try things out (using tc-admin)

Comment 23

[Dustin J. Mitchell [:dustin] (he/him)]

And that successfully retriggered a task!

  https://tools.taskcluster.net/groups/LU9AvBDuR9uDHKACyXOoIQ/tasks/LU9AvBDuR9uDHKACyXOoIQ/runs/0/logs/public%2Flogs%2Flive.log

So the issue here is that the total number of inputs to turn a generic "run an action" hook and an actual task definition is pretty huge:

  https://gist.github.com/djmitche/b338559f8e1eae35e3e36a30f00759ed/ea2eb8167223d4e86bd51f27b61bd4e271054051#file-test-payload-yml

that divides into two parts:

  1. information that the decision task "bakes in" to actions.json:
    action
    push
    repository
    callback
    parameters

  2. information from the UI
    input
    task
    taskId
    taskGroupId
    ownTaskId (bug 1455697)

Currently I'm providing that all as the trigger payload, but part 1 still needs to come from the decision task.  The only way I see to do that is to provide it in the schema, including the data as default values.  It might even be nice if the schema enforced those values, but that likely requires including all of that data *twice* in the schema.

Jonas, as schema expert, what are your thoughts?

The other issue is that the action task definition is currently based on .taskcluster.yml, so generating it in tc-admin is a bit of an awkward fit.  The result is a {$let: .., in: <task from .taskcluster.yml>} structure.  We can potentially duplicate that, if it's useful. Ideally the action tasks created by a hook should still be verify-able by CoTv2. This redoubles my conviction that all of this runtime configuration (hooks, roles, etc.) should be done in-tree..

Aki, in CoTv2, to validate an action, are you taking the action from actions.json and supplying its inputs?  Or going all the way back to .taskcluster.yml and supplying the full set?

Comment 24

[Aki Sasaki (not active)]

Looks like we're using actions.json: https://github.com/mozilla-releng/scriptworker/blob/master/scriptworker/cot/verify.py#L1243-L1247

Comment 25

[Dustin J. Mitchell [:dustin] (he/him)]

It seems I forgot (despite an admonition to the contrary in the docs, that I wrote!) that there are two JSON-e parameterizations here.  So I think this doesn't require schema defaults.

Comment 26

[Dustin J. Mitchell [:dustin] (he/him)]

The purge-caches implementation trusts the `task` input, pulling the things to purge from there:

https://dxr.mozilla.org/mozilla-central/source/taskcluster/taskgraph/actions/purge_caches.py
def purge_caches_action(parameters, input, task_group_id, task_id, task):
    if task['payload'].get('cache'):
        for cache in task['payload']['cache']:
            purge_cache(task['provisionerId'], task['workerType'], cache, use_proxy=True)
    else:
        logger.info('Task has no caches. Will not clear anything!')

I think this is OK -- purging caches is hardly dangerous -- but for other hooks it might be problematic.  The task definition (and parameters) is also quite large, and often unnecessary.  Perhaps it would be better to omit it for type=hook actions, and require the action implementations to fetch them if needed?  That would probably be best accomplished in a follow-up.  What do you think, Jonas?

Comment 27

[Tom Prince [:tomprince]]

Would something like how cron hooks work make sense? That is, there is a fairly simple (and standardized) task definition. And then that calls code in-tree to generate an action task based on the in-tree `.taskcluster.yml`?

Comment 28

[Dustin J. Mitchell [:dustin] (he/him)]

For the issue in comment 26, no -- we can easily add some utility functions that will fetch a task or the decision task's parameters without requiring execution of a second task.

And in general, I want to avoid that, as it will delay an already fairly slow process by requiring another round of task create-claim-start-execute-resolve.

Comment 29

[Dustin J. Mitchell [:dustin] (he/him)]

I have a bunch of patches that can land together now, and set things up to use hooks as actions, but do not actually convert the actions.  Treeherder still needs to be updated before we can do that.

https://github.com/taskcluster/taskcluster-admin/pull/20 -- this has already been applied in production, so hopefully it's OK
https://github.com/taskcluster/taskcluster-tools/pull/525 -- this was *way* easier than I expected!

Comment 30

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - add 'mach taskgraph actions';

Review commit: https://reviewboard.mozilla.org/r/239820/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/239820/

Comment 31

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - Remove support for register_action_task;

In a post-actions-as-hooks world, users will not have scopes to create tasks,
so this mode of action definition will not be possible. This is not currently
used from Treeherder (it links to
https://tools.taskcluster.net/tasks/<taskid>/interactive instead)

Review commit: https://reviewboard.mozilla.org/r/239822/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/239822/

Comment 32

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - add support for defining actions with kind=hook;

This does not affect any existing actions.

Review commit: https://reviewboard.mozilla.org/r/239824/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/239824/

Comment 33

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

The inclusion of this scope limits the actions initiated within this decision
task's task group.

Review commit: https://reviewboard.mozilla.org/r/239826/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/239826/

Comment 34

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - rewrite actions to use kind=hook (DO NOT LAND)

This just rewrites the `retrigger` action.  It does not consider the
possibility of abuse. At a minimum, that will require not trusting ACTION_TASK,
ACTION_PARAMETERS, etc.

Review commit: https://reviewboard.mozilla.org/r/239828/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/239828/

Comment 35

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

https://reviewboard.mozilla.org/r/239826/#review245532

::: .taskcluster.yml:74
(Diff revision 1)
>        scopes:
>          $if: 'tasks_for == "hg-push"'
>          then:
>            - 'assume:repo:${repoUrl[8:]}:branch:default'
>            - 'queue:route:notify.email.${ownerEmail}.*'
> +          - 'in-tree:hook-action:project-gecko/in-tree-action-${repository.level}-*'

@tomprince: I suspect we can s/gecko/comm/ in comm's `/.taskcluster.yml`, right?

Comment 36

[Dustin J. Mitchell [:dustin] (he/him)]

hassan, any chance I could lean on you to make changes equivalent to https://github.com/taskcluster/taskcluster-tools/pull/525 in treeherder?  That's based off of https://docs.taskcluster.net/manual/using/actions/spec and https://docs.taskcluster.net/manual/using/actions/ui.

Comment 37

[Hassan Ali (:hassan)]

Yep, I can take care of it.

Comment 38

[Tom Prince [:tomprince]]

Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';

https://reviewboard.mozilla.org/r/239820/#review245808

It would be nice if the new command either didn't take, or handled, all the options it can be given (`--json`/`--lables`, `--fast`, `--task-regex`, `--no-optimize`).

Comment 39

[Tom Prince [:tomprince]]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

https://reviewboard.mozilla.org/r/239822/#review245810

::: taskcluster/taskgraph/actions/registry.py:247
(Diff revision 1)
>      # functions to populate the action registry.
>      actions_dir = os.path.dirname(__file__)
>      for f in os.listdir(actions_dir):
>          if f.endswith('.py') and f not in ('__init__.py', 'registry.py', 'util.py'):
>              __import__('taskgraph.actions.' + f[:-3])
> -        if f.endswith('.yml'):
> +        # TODO: support loaners through a hook

It seems unlikely that the code for supporting a loaner will go here, so it would be better to turn this in to a bug, and not leave a comment here.

Comment 40

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239820/diff/1-2/

Comment 41

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239822/diff/1-2/

Comment 42

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239824/diff/1-2/

Comment 43

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239826/diff/1-2/

Comment 44

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971066 [details]
Bug 1415868 - rewrite actions to use kind=hook (DO NOT LAND)

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239828/diff/1-2/

Comment 45

[Tom Prince [:tomprince]]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

https://reviewboard.mozilla.org/r/239824/#review245844

This looks good, but it migt need to change to match changes requested in https://github.com/taskcluster/taskcluster-admin/pull/20

::: taskcluster/taskgraph/actions/registry.py:163
(Diff revision 1)
> +                'name': name,
> +                'title': title,
> +                'description': description,
> +                'taskGroupId': task_group_id,
> +                'repo_scope': repo_scope,
> +                'cb_name': cb.__name__,

Given the security concerns, does this even want to be included in hook actions? My feeling is not.

::: taskcluster/taskgraph/actions/registry.py:226
(Diff revision 1)
> +                            'taskGroupId': {'$eval': 'taskGroupId'},
> +                        }
>                      },
> -                    'in': taskcluster_yml['tasks'][0]
>                  }
> +            rv['name'] = name

nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it.

Comment 46

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

https://reviewboard.mozilla.org/r/239824/#review245844

> Given the security concerns, does this even want to be included in hook actions? My feeling is not.

For generic actions (actionPerm='generic') it does need to be here.  For the non-generic, its value has to be "forced" whether it's present in the payload or not.

> nit: I'd do `rv = {...}` above the conditional, and then `rv.update({...})` inside it.

I like that..

Comment 47

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239824/diff/2-3/

Comment 48

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239826/diff/2-3/

Comment 49

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971066 [details]
Bug 1415868 - rewrite actions to use kind=hook (DO NOT LAND)

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239828/diff/2-3/

Comment 50

[[github robot]]

Commit pushed to master at https://github.com/taskcluster/taskcluster-tools

https://github.com/taskcluster/taskcluster-tools/commit/f950c71c5a6f44f434f58f617f3c222bd4812bb6
Bug 1415868 - support actions with kind=hook (#525)

Comment 51

[Dustin J. Mitchell [:dustin] (he/him)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=68794851ea67045e04fb392ef2288ecd18ee0ad4

Comment 52

[GitHub Bugzilla PR Linker]

Attachment: Link to GitHub pull-request: https://github.com/mozilla/treeherder/pull/3502

Comment 53

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';

https://reviewboard.mozilla.org/r/239820/#review246632

Comment 54

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

https://reviewboard.mozilla.org/r/239822/#review246634

::: commit-message-d59da:9
(Diff revision 2)
> +so this mode of action definition will not be possible. This is not currently
> +used from Treeherder (it links to
> +https://tools.taskcluster.net/tasks/<taskid>/interactive instead)
> +
> +This drops support for the JSON-e-only interactive action; that action is not
> +currently used from treeherder, so that should have no impact for users.

It is present in treeherder, you just have to digg into the actions menu... that well hidden.

I'll agree it probably won't affect users.
But the plan was for TH to remove the link to:
`tools.taskcluster.net/tasks/<taskid>/interactive`
and exclusively use this.

This will move that one step backwards.
And it won't provide an alternative action.

I could be wrong, and I'm not sure we should block on this. Just that at-least we should be aware.

Comment 55

[Dustin J. Mitchell [:dustin] (he/him)]

Think of it as avoiding having to re-implement something because the old version wasn't already in production.  It will eventually be implemented with a hook-based in-tree action.

Comment 56

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - remove ACTION_TASK

The spec indicates that `task` isn't supplied by the user interface performing
the action, so we can't provide it. This gives `null` instead for temporary
compatibility, with plans to remove it entirely when all actions are kind=hook.

Review commit: https://reviewboard.mozilla.org/r/240960/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/240960/

Comment 57

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239820/diff/2-3/

Comment 58

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239822/diff/2-3/

Comment 59

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239824/diff/3-4/

Comment 60

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239826/diff/3-4/

Comment 61

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971066 [details]
Bug 1415868 - rewrite actions to use kind=hook (DO NOT LAND)

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239828/diff/3-4/

Comment 62

[Dustin J. Mitchell [:dustin] (he/him)]

OK, new round of reviews is up.  Here are my notes from previous reviews and our conversation last week:

* [DONE] add detail to hooks' triggerSchema to indiciate specific keys in action, push, and repository
* [DONE] don't include repo_scope in the hookPayload (and don't generate it in the in-tree code)                                                                                                                                                                                                                                                                             
* [DONE] Rework these overrides to be a little clearer that we either take the given value, or force it, and why (with some comments).
  * [DONE] Merge action.foo properties individually, raher than dict merge
* [ALREADY THE CASE] Advise to keep data provided to hooks.triggerHook as small as possible - that's the trust boundary, so probably not the task
* [DONE] Just drop the `task` field in the spec
* [DONE] docs/spec: ownTaskId not included for hooks
* [DONE] use taskId from hooks service
* [DONE] Pull tc.yml from comm-central for comm-central trustdomain

Comment 63

[Tom Prince [:tomprince]]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

https://reviewboard.mozilla.org/r/239826/#review246716

Comment 64

[Tom Prince [:tomprince]]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review246724

::: .taskcluster.yml:112
(Diff revision 1)
>              - $if: 'tasks_for == "action"'
>                then:
>                  ACTION_TASK_GROUP_ID: '${ownTaskId}'
>                  ACTION_TASK_ID: {$json: {$eval: 'taskId'}}
> +                # note that this is always NULL for actions with kind=hook
>                  ACTION_TASK: {$json: {$eval: 'task'}}

Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.

We can move that into just the actions that need that later.

Comment 65

[Dustin J. Mitchell [:dustin] (he/him)]

> Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.

Just to be clear you're suggesting fetching the task with `queue.task(..)`?

Comment 66

[Tom Prince [:tomprince]]

(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #65)
> > Let's drop this now, and for compatability with old action implementations, get this in `trigger_action_callback`.
> 
> Just to be clear you're suggesting fetching the task with `queue.task(..)`?

Presumably `taskgraph.util.taskcluster.get_task_definition`. So, yes?

Comment 67

[[github robot]]

Commits pushed to master at https://github.com/taskcluster/taskcluster-docs

https://github.com/taskcluster/taskcluster-docs/commit/b9b9233b09e27cc5606f628e640c6550ae6f25f7
Bug 1415868 - ownTaskId and task are not provided for kind=hook

(with some minor formatting fixes)

https://github.com/taskcluster/taskcluster-docs/commit/cd8f6317eb3edb06a33ca3db24fe0b6532981e9b
Merge pull request #255 from djmitche/bug1415868-b

Bug 1415868 - ownTaskId and task are not provided for kind=hook

Comment 68

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

https://reviewboard.mozilla.org/r/239822/#review246778

Comment 69

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

https://reviewboard.mozilla.org/r/239824/#review246780

Comment 70

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

https://reviewboard.mozilla.org/r/239826/#review246782

Comment 71

[Jonas Finnemann Jensen (:jonasfj)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review246788

::: .taskcluster.yml:112
(Diff revision 1)
>              - $if: 'tasks_for == "action"'
>                then:
>                  ACTION_TASK_GROUP_ID: '${ownTaskId}'
>                  ACTION_TASK_ID: {$json: {$eval: 'taskId'}}
> +                # note that this is always NULL for actions with kind=hook
>                  ACTION_TASK: {$json: {$eval: 'task'}}

What tomprince said :)

Comment 72

[Dustin J. Mitchell [:dustin] (he/him)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=d7665b9f894a550d83cfa1bc9ce01fedd11950c6

Comment 73

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/240960/diff/1-2/

Comment 74

[Dustin J. Mitchell [:dustin] (he/him)]

I've tested both kind=hook and kind=task actions on the above try push.  The hooks in place are based on .taskcluster.yml from that try push.  Everything seems to work.

Next steps:
- r+ on the last patch
- land this (but not the DO NOT LAND patch)
- sort out how to verify this with CoTv2
  (note that just landing the attached patches won't result in any kind=hook actions being run, so this can wait)
- uplift graph-config stuff (tomprince)
- uplift this as far as possible (hopefully to esr52)
- start porting actions to use kind=hook

Comment 75

[Tom Prince [:tomprince]]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review246806

Comment 76

[Aki Sasaki (not active)]

(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #72)
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=d7665b9f894a550d83cfa1bc9ce01fedd11950c6

`verify_cot --task-type action --cleanup -- RUSih0YTT1uhfyKyiuNmXA` passes cotv2.

Comment 77

[Dustin J. Mitchell [:dustin] (he/him)]

Aki and I chatted.  At the moment, we're not sure how that verify worked, but Aki is looking into it.

My understanding of the way we'd like CoT verification to work is that CoT determines the inputs to .taskcluster.yml that would have generated this action, renders with JSON-e, and compares the result.

That necessitates having .taskcluster.yml and the hook object's task template match (the template surrounds the .taskcluster.yml content with a {$let: .., in: ..} but otherwise includes it verbatim).  To accomplish that, Aki suggested hashing `.taskcluster.yml` and including the hash (or a prefix of it) in the hookId.

Then the challenge is just to run the script to create hooks before they're needed.  We could accomplish that with a task that runs on push that verifies the hook exists and, if not, suggests running the script.  The script will need elevated privs, so we would rather not have it run automatically!

Comment 78

[Aki Sasaki (not active)]

Ah, looks like I missed this line in the logs: 2018-05-03T11:27:54  WARNING - DEPRECATED_DECISION_TASK RUSih0YTT1uhfyKyiuNmXA while verifying task RUSih0YTT1uhfyKyiuNmXA

which means it failed back to cotv1. I need to add support for .taskcluster.yml usage for actions as well. Is there going to be some flag I can look for to toggle this behavior? No matter how tightly we couple the landing + rollout of a new scriptworker, I imagine there will be some old behavior somewhere.

Comment 79

[Aki Sasaki (not active)]

Attempts at getting `verify_cot --task-type action --min-cot-version 2 --cleanup RUSih0YTT1uhfyKyiuNmXA` are here [1], not yet successful. Ideally we get both current and new-style actions passing.

[1] https://github.com/escapewindow/scriptworker/commits/action-hook-cot

Comment 80

[Aki Sasaki (not active)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review248340

::: taskcluster/mach_commands.py
(Diff revision 2)
>              root = options['root']
>  
>              return taskgraph.actions.trigger_action_callback(
>                      task_group_id=task_group_id,
>                      task_id=task_id,
> -                    task=task,

I think this will break cot verification of action tasks until bug 1459705 is fixed.

Comment 81

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review248340

> I think this will break cot verification of action tasks until bug 1459705 is fixed.

It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task.  Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json.  But CoTv2 is verifying action tasks against actions.json, so that will still match.  Have I missed something?

Comment 82

[Aki Sasaki (not active)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

https://reviewboard.mozilla.org/r/240960/#review248340

> It shouldn't -- this is about what options are passed to the Python callback, and is entirely within the action task.  Other parts of the patch omit ACTION_TASK from .taskcluster.yml, which will have the effect of omitting them from actions.json.  But CoTv2 is verifying action tasks against actions.json, so that will still match.  Have I missed something?

If actions.json is unchanged, then I think we're good. If we remove the task json from actions.json as we did in the try push, then cot will break.

Comment 83

[Dustin J. Mitchell [:dustin] (he/him)]

Well, actions.json is changed, but still contains a task definition.  It was only the retrigger action, and only on that try push, that had kind=hook.  That's in the "DO NOT MERGE" revision :)

Comment 84

[Aki Sasaki (not active)]

Cool, good to hear. I'll try to get the hook cot verification in soon.

Comment 85

[Treeherder GitHub Bugbot]

Commit pushed to master at https://github.com/mozilla/treeherder

https://github.com/mozilla/treeherder/commit/85766e2787ec6420b49f986a37f6039067262093
Bug 1415868 - Use hooks for actions (#3502)

* Add hooks for actions

* Remove task from context for kind == hook

Also display hookGroupId/hookId for kind=hook
in the modal.

* Move taskcluster-lib-scopes to the vendor chunk

Comment 86

[Aki Sasaki (not active)]

(In reply to Aki Sasaki [:aki] from comment #84)
> Cool, good to hear. I'll try to get the hook cot verification in soon.

Status: https://bugzilla.mozilla.org/show_bug.cgi?id=1459705#c2
Could we address the `repo_scope` pre-population and kind=hook taskGroupId bustage? Once we have those fixed, I can remove those hardcoded hacks from cotv3.

Comment 87

[Dustin J. Mitchell [:dustin] (he/him)]

I'm going to try to get this landed on Monday, without the DO NOT MERGE part.  Today seems risky :)

Comment 88

[Dustin J. Mitchell [:dustin] (he/him)]

Attachment: Bug 1415868 - change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task;

Review commit: https://reviewboard.mozilla.org/r/245208/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/245208/

Comment 89

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971062 [details]
Bug 1415868 - add 'mach taskgraph actions';

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239820/diff/3-4/

Comment 90

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971063 [details]
Bug 1415868 - Remove support for register_action_task;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239822/diff/3-4/

Comment 91

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971064 [details]
Bug 1415868 - add support for defining actions with kind=hook;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239824/diff/4-5/

Comment 92

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971065 [details]
Bug 1415868 - include in-tree:hook-action:..{level}-* in decision task scopes;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239826/diff/4-5/

Comment 93

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8971066 [details]
Bug 1415868 - rewrite actions to use kind=hook (DO NOT LAND)

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/239828/diff/4-5/

Comment 94

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/240960/diff/2-3/

Comment 95

[Dustin J. Mitchell [:dustin] (he/him)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=bc8c3900d1badf9b71f5c71e2c410608fc9c9196

Comment 96

[Dustin J. Mitchell [:dustin] (he/him)]

OK, https://tools.taskcluster.net/tasks/NdzxKw8bS5Sw5DRhoiM14w is the result of a retrigger on the try push with the latest patch applied (and having run tcadmin to update the hook defs)

The hook payload (copying from the 'Params' tab in devtools kinda stinks..):

decision	{…}
action	{…}
cb_name	retrigger_action
description	Create a clone of the task.
name	retrigger
symbol	rt
taskGroupId	c5nn2xbNS9mJxeVC0uNElg
title	Retrigger
parameters	{…}
app_version	62.0a1
base_repository	https://hg.mozilla.org/mozilla-unified
build_date	1526682222
build_number	1
do_not_optimize	{}
existing_tasks	{}
filters	{…}
0	check_servo
1	target_tasks_method
head_ref	f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
head_repository	https://hg.mozilla.org/try
head_rev	f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
include_nightly	true
level	1
message	
moz_build_date	20180518222342
next_version	null
optimize_target_tasks	false
owner	dmitchell@mozilla.com
project	try
pushdate	1526682222
pushlog_id	272718
release_enable_emefree	false
release_enable_partners	false
release_eta	
release_history	{}
release_partner_build_number	1
release_partner_config	{}
release_partners	{}
release_product	null
release_type	
target_tasks_method	try_tasks
try_mode	try_task_config
try_options	null
try_task_config	{…}
tasks	{…}
version	62.0a1
push	{…}
owner	mozilla-taskcluster-maintenance@mozilla.com
pushlog_id	272718
revision	f41b2f50ff48ef4265e7be391a6e5e4b212f96a0
repository	{…}
level	1
project	try
url	https://hg.mozilla.org/try
user	{…}
input	{…}
downstream	false
times	1
taskGroupId	c5nn2xbNS9mJxeVC0uNElg
taskId	H1mVqFQbS3Sqwo5tWMLtYw

but more importantly, in the resulting task:
    "ACTION_TASK_GROUP_ID": "c5nn2xbNS9mJxeVC0uNElg",

So that seems to be fixed.  I remain cautiously optimistic that this has been breaking the cancel_all action for a long time.

Comment 97

[Aki Sasaki (not active)]

Comment on attachment 8977124 [details]
Bug 1415868 - change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task;

https://reviewboard.mozilla.org/r/245208/#review251206

Thanks!

Comment 98

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8972298 [details]
Bug 1415868 - remove ACTION_TASK

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/240960/diff/3-4/

Comment 99

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8977124 [details]
Bug 1415868 - change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task;

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/245208/diff/1-2/

Comment 100

[Pulsebot]

Pushed by dmitchell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7637618d3bd2
add 'mach taskgraph actions'; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/2c95df49455b
Remove support for register_action_task; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/a891a10ca4d9
add support for defining actions with kind=hook; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/4cbd35f87289
include in-tree:hook-action:..{level}-* in decision task scopes; r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/e2931d904975
remove ACTION_TASK r=jonasfj,tomprince
https://hg.mozilla.org/integration/autoland/rev/d4643b526038
change ACTION_TASK_GROUP_ID to be the taskGroupId of the target task; r=aki

Comment 101

[Dustin J. Mitchell [:dustin] (he/him)]

Assuming that sticks, next steps are:
 - finish CoT work
 - add hash to hookIds
 - convert all actions to hooks
 - convert anything treeherder is still doing "manually" to a hook
 - convert anything tools is still doing "manually" to a hook
 - remove scopes from active_scm_level_L roles

Comment 102

[Aki Sasaki (not active)]

Sorry for catching this late - you've changed ACTION_TASK_GROUP_ID to c5nn2xbNS9mJxeVC0uNElg, but the taskGroupId of the task hasn't changed to c5nn2xbNS9mJxeVC0uNElg; it's NdzxKw8bS5Sw5DRhoiM14w, which is the action task's taskId. Can we fix that?

Comment 103

[Dustin J. Mitchell [:dustin] (he/him)]

Yes, that's https://github.com/taskcluster/taskcluster-hooks/pull/100

Comment 104

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/7637618d3bd2
https://hg.mozilla.org/mozilla-central/rev/2c95df49455b
https://hg.mozilla.org/mozilla-central/rev/a891a10ca4d9
https://hg.mozilla.org/mozilla-central/rev/4cbd35f87289
https://hg.mozilla.org/mozilla-central/rev/e2931d904975
https://hg.mozilla.org/mozilla-central/rev/d4643b526038

Comment 105

[Dustin J. Mitchell [:dustin] (he/him)]

 - [DONE (aki)] finish CoT work
 - [DONE] add hash to hookIds
 - convert all actions to hooks
 - convert anything treeherder is still doing "manually" to a hook
 - convert anything tools is still doing "manually" to a hook
 - remove scopes from active_scm_level_L roles

Comment 106

[Phabricator Automation]

Attachment: Bug 1415868: [taskgraph] Use `action.taskGroupId` to set `ACTION_TASKGROUP_ID`; r?dustin

This makes it consistent with everywhere else in `.taskcluster.yml` where we
refer to the action task group.

Comment 107

[Nick Thomas [:nthomas] (UTC+12)]

Attachment: Bug 1415868 - fix test-action-callback after rev e2931d904975,

Review commit: https://reviewboard.mozilla.org/r/251968/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/251968/

Comment 108

[Nick Thomas [:nthomas] (UTC+12)]

Comment on attachment 8986661 [details]
Bug 1415868 - fix test-action-callback after rev e2931d904975,

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/251968/diff/1-2/

Comment 109

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8986661 [details]
Bug 1415868 - fix test-action-callback after rev e2931d904975,

https://reviewboard.mozilla.org/r/251968/#review258554

Comment 110

[Pulsebot]

Pushed by nthomas@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cea130a07d08
fix test-action-callback after rev e2931d904975, r=dustin

Comment 111

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/cea130a07d08

Comment 113

[Dustin J. Mitchell [:dustin] (he/him)]

This is still waiting on a production deploy of treeherder.  Hopefully soon!!!

Comment 114

[Pete Moore [:pmoore][:pete]]

(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #113)
> This is still waiting on a production deploy of treeherder.  Hopefully
> soon!!!

Is that deployment tracked in a bug?

Comment 115

[Dustin J. Mitchell [:dustin] (he/him)]

No, it's at https://whatsdeployed.io/?owner=mozilla&repo=treeherder&name[]=Stage&url[]=https://treeherder.allizom.org/revision.txt&name[]=Prod&url[]=https://treeherder.mozilla.org/revision.txt

Comment 116

[Dustin J. Mitchell [:dustin] (he/him)]

I'm not going to lie, I'm pretty confused about this bug.  I *think* all of the code is landed, and all that remains is to start turning on `kind="hook"` for actions.  Once that sticks, this is basically done and I can start working on reducing user scopes.

Comment 117

[Dustin J. Mitchell [:dustin] (he/him)]

Ah, that is landed in bug 1470621 and happily has spread quite widely already.  All that remains is relpromo (bug 1485680) and that's not a hard blocker on progress here.

Comment 118

[Dustin J. Mitchell [:dustin] (he/him)]

Let's leave the relpromo work to its own bug, and close this -- we're substantially using hooks now and all that remains is clean-up.