Closed Bug 1437738 Opened 2 years ago Closed 2 years ago

Trees closed: action tasks require '{repo}:*', backfill and add new jobs broken


(Firefox Build System :: General, defect)

Not set


(firefox-esr52 fixed, firefox58 fixed, firefox59 fixed, firefox60 fixed)

Tracking Status
firefox-esr52 --- fixed
firefox58 --- fixed
firefox59 --- fixed
firefox60 --- fixed


(Reporter: jonasfj, Assigned: dustin)




(2 files)

decision task has scopes like:
but action tasks seems to require:*

This causes action tasks to fail, as we in treeherder and taskcluster-tools don't allow
action tasks to run with more scopes than the decision task has. We make this reduction
client side using authorizedScopes. This is to protect users from being phished by someone to
run an evil action task.

I'm guessing the problem is:

But I'm not entirely sure. Help?
I'm not sure where the ."branch:default" comes from.

@dustin: didn't you recently make changes with scopes and roles. I recall something about :branch:default, but maybe I'm remembering wrong.
Flags: needinfo?(dustin)
If we can't backfill or add new jobs (which we can't), then we can't have mozilla-inbound and autoland open, since every bustage will require pushing multiple backouts to try and waiting for builds and then tests. Trees closed.
Severity: normal → blocker
Summary: try action tasks require '*' → Trees closed: action tasks require '{repo}:*', backfill and add new jobs broken
Assignee: nobody → bstack
Attachment #8950496 - Flags: review?(dustin)
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

What about actions on other branches? Is branches not something we use..

Note: I recognize that this will open trees so r+, as it's better than nothing.
Attachment #8950496 - Flags: review+
Please land, this should be good to go.
Keywords: checkin-needed
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes
Attachment #8950496 - Flags: review+
Attachment #8950496 - Flags: review?(dustin)
Pushed by
Update actions to new repo scopes,r=jonasfj. CLOSED TREE
Keywords: checkin-needed
Pushed by
Update actions to new repo scopes r=jonasfj r=pmoore a=Aryx on a CLOSED TREE
We're sorry - something has gone wrong while rewriting or rebasing your commits. The commits being pushed no longer match what was requested. Please file a bug.
Despite autoland's confusion, this appears to have landed and merged around.

This was exactly the right fix.  I'm sorry to leave it for Brian and Pete to land it.
Closed: 2 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED
Please request approval to land this on release branches. It will need a new patch for ESR52.
Flags: needinfo?(bstack)
Resolution: FIXED → ---
Assignee: bstack → dustin
Flags: needinfo?(bstack)
OK, esr52 doesn't have action tasks, but I can see a similar patch to action.yml that might avoid issues.

I see a recent esr52 push has a decision task with and nothing exploded.

So I think we just need to uplift the existing change to the other release branches. for a component with uplift flags..
Component: Task Configuration → Build Config
Product: Taskcluster → Core
    [Feature/regressing bug #]: 1437562
    [User impact if declined]: No user impact -- no ability to ship release
    [Describe test coverage new/current, TBPL]: tested on m-c
    [Risks and why]: Low risk - NPOTB
    [String/UUID change made/needed]: none
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

Approval Request Comment
[Feature/Bug causing the regression]: bug 1437562
[User impact if declined]: inability to make release
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: NPOTB
[String changes made/needed]: none
Attachment #8950496 - Flags: approval-mozilla-release?
Attachment #8950496 - Flags: approval-mozilla-beta?
Attached patch esr52.patchSplinter Review
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: allow actions on the esr52 branch
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): low (I don't think actions are used at all on this branch)
String or UUID changes made by this patch: none

This will need to skip mozilla-central and land directly on esr52, as it no longer applies on mozilla-central (this action-task mechanism has been removed).
Attachment #8950698 - Flags: review?(bstack)
Attachment #8950698 - Flags: approval-mozilla-esr52?
Attachment #8950698 - Flags: review?(bstack) → review+
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

NPOTB, Beta59+, Release58+
Attachment #8950496 - Flags: approval-mozilla-release?
Attachment #8950496 - Flags: approval-mozilla-release+
Attachment #8950496 - Flags: approval-mozilla-beta?
Attachment #8950496 - Flags: approval-mozilla-beta+
Comment on attachment 8950698 [details] [diff] [review]

Attachment #8950698 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
This already got pushed to beta:
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1438295
Duplicate of this bug: 1438437
Product: Core → Firefox Build System
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.