Closed Bug 1286894 Opened 5 years ago Closed 3 years ago
Enable Treeherder to add new TC jobs for non try repositories
This will be a follow up to Bug 1284911, once that's fixed.
This should be fairly straightforward to fix. Just remove the condition from https://github.com/mozilla/treeherder/blob/master/ui/js/models/resultsets_store.js#L330 However, an RRA is needed before this can proceed.
(In reply to Kalpesh Krishna [:martianwars] from comment #1) > However, an RRA is needed before this can proceed. Presuming "RRA" () wasn't a typo, then this needs blocking on the pulse actions side asap until that happens. A UI-only conditional isn't a security measure - people can submit arbitrary requests to the API regardless. Armen, can you confirm either way?  https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment
Yeah I completely agree with Ed. There should be a condition to block this on Pulse Actions. Should be a straightforward fix.
Filed bug 1288092 to follow up on it.
There's still a limitation in plce here: pulse_actions' scopes would prevent creation of an action task for any repo other than try (in particular, any non-level-1 repo) https://tools.taskcluster.net/auth/clients/#project%252fateam%252fpulse_actions assume:repo:hg.mozilla.org/try:* auth:aws-s3:read-write:tc-gp-public-31d/ateam/pulse-action-dev/* queue:create-task:* queue:define-task:* scheduler:create-task-graph scheduler:extend-task-graph but it would be good for pulse_actions to give a useful error back to the user rather than rely on the scopes to fail.
Ah so comment 1 really meant "an RRA is needed prior to adjusting the scopes being used by pulse_actions, which will be performed in a yet-to-be-filed bug that will be marked blocking this one" (or similar). Glad to hear :-)
Fixed in the code as well in bug 1288092.
this is broken and now that SETA is enabled we are looking to turn it off *again*. Do we need to do work in treeherder to fix this?
Unofortunately I have no idea how most of this implementation is meant to work, whether it's currently working or what next steps are. Armen would be the one to speak to.
If I remember correctly, there was a UI check here to prevent non-try jobs from being added. https://github.com/mozilla/treeherder/blob/master/ui/js/models/resultsets_store.js#L338. I don't quite remember if I'd added anything on the TaskCluster side. Of course, I don't know how relevant this is now.
This was fixed a while ago.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.