:garbas tried to, but he didn't have permissions to grant me the scope. It might be worthwile to grant the scope to trigger shipit hooks (for now project-releng/services-staging-shipit-bot-uplift-bot and project-releng/services-staging-shipit-code-coverage-bot) to the whole relman ldap group, if it's possible.
That group corresponds to https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_releasemgt which has assume:project:shipit:user Should we make another project:shipit:<..> role to represent this particular level of access? Then you can assign whatever scopes you'd like to that role.
:dustin: +1, that would be great!
OK, I added project:shipit:trigger to https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_releasemgt You can create that role and add whatever scopes you would like.
:dustin: can you also add "assume:project:shipit:*" role to mozilla-group:releng role?
:dustin: sorry for bugging you again. Looks like I don't really have enough scopes to add role in project:shipit:* namespace. Anyway it would be better to change role "project:shipit:trigger" in "mozilla-group:vpn_releasemgt" to "project:releng:services/develop/shipit". I already went a ahead and created that role.
11:01:13 <garbas> dustin: sry to bug you. i'm still having problems assigning scopes (Bug 1356405). Is it possible that you forgot to add "assume:" before "project:releng:services/develop/shipit" scope? yup. fixed.