Closed Bug 1324094 Opened 7 years ago Closed 7 years ago

Investigate adding new scopes to action tasks for caches above level-1

Categories

(Firefox Build System :: Task Configuration, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bstack, Assigned: bstack)

References

Details

Attachments

(1 file)

This is needed for backfilling on repos other than try. More discussion in bug 1289823 comment 23.
Status: NEW → ASSIGNED
Landing this should probably be blocked on bug 1284989.
After running this from the task creator with the appropriate scopes, it successfully backfilled bc5 tests as seen in https://treeherder.mozilla.org/#/jobs?repo=autoland&filter-searchStr=linux%2064%20pgo%20tc%20mochitest&tochange=3d4f10649284edd6397e57052411b213cb24ca62
Comment on attachment 8819404 [details]
Bug 1324094 - Add correct cache scopes to action tasks

https://reviewboard.mozilla.org/r/99198/#review99592

As long as dustin is happy with it :)
Attachment #8819404 - Flags: review?(armenzg) → review+
Comment on attachment 8819404 [details]
Bug 1324094 - Add correct cache scopes to action tasks

https://reviewboard.mozilla.org/r/99198/#review99980

Aside from the comments below, there are security implications to supporting this on more than the try repo.  I think you already have those in mind, based on other bug traffic I've seen go by, but it's worth mentioning again :)

::: taskcluster/taskgraph/action.yml:21
(Diff revision 2)
> +  - "docker-worker:cache:level-2-*"
> +  - "docker-worker:cache:level-3-*"

These are more than a level-1 action task would need.

Also, these scopes shouldn't be needed anymore now that bug 1269443 is landed.  They are included in the `repo:hg.mozilla.org/try:*` role.

I think the right fix here is for the decision task to dynamically calculate the `repo:..` role for the action.yml file that it uploads as an artifact.

::: taskcluster/taskgraph/action.yml:26
(Diff revision 2)
> +  - "queue:route:tc-treeherder.v2.*"
> +  - "queue:route:tc-treeherder-stage.v2.*"

I'm not sure why these were added..
Attachment #8819404 - Flags: review?(dustin) → review-
Comment on attachment 8819404 [details]
Bug 1324094 - Add correct cache scopes to action tasks

https://reviewboard.mozilla.org/r/99198/#review100338

::: taskcluster/taskgraph/action.yml:26
(Diff revision 2)
> +  - "queue:route:tc-treeherder.v2.*"
> +  - "queue:route:tc-treeherder-stage.v2.*"

These were added because of the failure I saw in https://tools.taskcluster.net/task-inspector/#H0GH4bWrTCOmjPLyQ_oBcA/0

Perhaps they will not be needing if we do the assume:repo:hg.mozilla... change you mentioned in the other issue. I'll try it out and see.
Comment on attachment 8819404 [details]
Bug 1324094 - Add correct cache scopes to action tasks

https://reviewboard.mozilla.org/r/99198/#review100652
Attachment #8819404 - Flags: review?(dustin) → review+
Keywords: checkin-needed
Pushed by ihsiao@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/02cbb6db8bd2
Add correct cache scopes to action tasks r=armenzg,dustin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/02cbb6db8bd2
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Now that this is merged, we should be able to backfill so long as we assign scopes to https://tools.taskcluster.net/auth/clients/#project%252fateam%252fpulse_actions

I believe we've decided that as a temporary measure until treeherder supports tc credentials fully, we will give that client "assume:repo:hg.mozilla.org/*". I believe that is an extremely powerful set of scopes, but I also understand that backfilling for these jobs is something we want to have sooner rather than later. If you're ok with it, I'll go ahead and do so.
Flags: needinfo?(dustin)
Flags: needinfo?(dustin)
Aww, TIL don't use unicode in Bugzilla.  Ship it :)
Could we file a bug for adding that ability to TH and another bug for reverting giving these privileges?

Is this part of the outcome of the RRA? Is that bug ready to be fixed?
I've created bug 1325657 for the removal of the scopes. Bug 1273096 is for doing things with tc creds correctly in th and is underway now. Bug 1278986 will also need to be fixed before we can move forward with getting rid of these scopes (and eventually all tc interactions from pulse_actions).
(Moving to a Taskcluster component, since the changed files were taskcluster config files in mozilla-central rather than in the Treeherder repo)
Component: Treeherder → Task Configuration
Product: Tree Management → Taskcluster
Version: --- → unspecified
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: