1267230 - need a way to run tests against pull requests created by users without repo access

Status: RESOLVED DUPLICATE of bug 1257540

(Taskcluster :: Services, defect)

Description

[bhearsum@mozilla.com (:bhearsum)]

Right now, pull requests created by users without any access to the repo will not run taskcluster-github jobs. This can be worked around giving them "read" permissions to the repo, but it doesn't easily allow new contributors to create pull requests and have them tested.

I seem to recall that not allowing random people to create taskcluster-github tasks was done on purpose, but I'm not sure if that was due to paranoia, immaturity of the service, or for a more specific concern.

As we start to use tc-gh for more things we really need a way to run tests on *any* pull request. The way services like Travis do this is to allow anyone to have tests run on their pull request. This would put the burden on folks who maintain .taskcluster.yml files to make sure their tasks are unable to expose secrets or other such things.

Another idea that was thrown out in the past was to let authorized users trigger tasks manually with some special syntax in a pull request comment.

Comment 1

[Jonas Finnemann Jensen (:jonasfj)]

Another option is that we run these PR with a different set of scopes, managed by roles the way existing scopes are delegated.

Having the magic comment syntax would be nice too though.. As that could trigger running in privileged mode.

Comment 2

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #1)
> Another option is that we run these PR with a different set of scopes,
> managed by roles the way existing scopes are delegated.

I'm not quite sure what you mean by this. Are you suggesting just reducing the number of scopes that pull request triggered tasks get?

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

This might be a dupe of bug 1257540 or the other way around....