Stop connecting to github.com in tier-1 automation

RESOLVED FIXED

Status

task
RESOLVED FIXED
3 years ago
Last year

People

(Reporter: gps, Unassigned, Mentored)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Dependencies on 3rd party services in Tier-1 Firefox release automation is a big no-no because it increases the surface area of services we rely on to ship Firefox. Plus it introduces non-determinism/reproducibility concerns and MitM attack vectors.

GitHub outages and GitHub dropping our traffic (because our traffic patterns resemble DDoS and can take up a lot of bandwidth) have bitten us before. We don't want our Tier-1 release automation hitting github.com. We don't want connectivity issues to github.com preventing us from performing a Firefox chemspill release.

It appears our automation still connects to github.com in places. Here are some locations fetching tooltool (which is now vendored in mozilla-central):

$ ag build-tooltool
taskcluster/ci/legacy/tasks/l10n.yml
49:      TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool'
taskcluster/ci/legacy/tasks/build.yml
31:      TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool'
taskcluster/ci/legacy/tasks/harness_test.yml
56:      TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool'
taskcluster/scripts/builder/build-haz-linux.sh
38:: ${TOOLTOOL_REPO:=https://github.com/mozilla/build-tooltool}
taskcluster/scripts/builder/sm-tooltool-config.sh
6:: ${TOOLTOOL_REPO:=https://github.com/mozilla/build-tooltool}
taskcluster/scripts/misc/build-cctools.sh
41:wget -O tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
taskcluster/scripts/misc/build-clang-linux.sh
12:wget -O tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
tools/lint/eslint/update
55:wget https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
testing/mozharness/mozharness/mozilla/tooltool.py
15:    "https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py"
testing/docker/desktop-build/Dockerfile
33:RUN wget -O /builds/tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
testing/docker/android-gradle-build/Dockerfile
27:RUN wget -O /builds/tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
75:ADD https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py /build/tooltool.py
testing/docker/centos6-build/system-setup.sh
283:curl https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py > tooltool.py
testing/docker/rust-build/Dockerfile
14:ADD https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py /build/tooltool.py
testing/mozbase/mozrunner/mozrunner/devices/android_device.py
27:TOOLTOOL_URL = 'https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py'
bug 1302767 addresses a lot of this.
Depends on: 1302767
Mentor: dustin
I believe we just made a check as part of upcoming TLS changes at github, and determined that we do not pull from github anymore.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Depends on: 1345972
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.