Closed Bug 1437738 Opened 2 years ago Closed 2 years ago

Trees closed: action tasks require 'assume:repo:hg.mozilla.org/{repo}:*', backfill and add new jobs broken

Categories

(Firefox Build System :: General, defect, blocker)

defect
Not set
blocker

Tracking

(firefox-esr52 fixed, firefox58 fixed, firefox59 fixed, firefox60 fixed)

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- fixed
firefox58 --- fixed
firefox59 --- fixed
firefox60 --- fixed

People

(Reporter: jonasfj, Assigned: dustin)

References

Details

Attachments

(2 files)

decision task has scopes like:
  assume:repo:hg.mozilla.org/try:branch:default
but action tasks seems to require:
  assume:repo:hg.mozilla.org/try:*

This causes action tasks to fail, as we in treeherder and taskcluster-tools don't allow
action tasks to run with more scopes than the decision task has. We make this reduction
client side using authorizedScopes. This is to protect users from being phished by someone to
run an evil action task.

I'm guessing the problem is:
  https://dxr.mozilla.org/mozilla-central/rev/9a0655ea8ae02f4d96bf23a607a94641f1c57f1b/taskcluster/taskgraph/actions/registry.py#183-184

But I'm not entirely sure. Help?
I'm not sure where the ."branch:default" comes from.

@dustin: didn't you recently make changes with scopes and roles. I recall something about :branch:default, but maybe I'm remembering wrong.
Flags: needinfo?(dustin)
If we can't backfill or add new jobs (which we can't), then we can't have mozilla-inbound and autoland open, since every bustage will require pushing multiple backouts to try and waiting for builds and then tests. Trees closed.
Severity: normal → blocker
Summary: try action tasks require 'assume:repo:hg.mozilla.org/try:*' → Trees closed: action tasks require 'assume:repo:hg.mozilla.org/{repo}:*', backfill and add new jobs broken
Assignee: nobody → bstack
Status: NEW → ASSIGNED
Attachment #8950496 - Flags: review?(dustin)
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

https://reviewboard.mozilla.org/r/219780/#review225478

What about actions on other branches? Is branches not something we use..

Note: I recognize that this will open trees so r+, as it's better than nothing.
Attachment #8950496 - Flags: review+
Please land, this should be good to go.
Keywords: checkin-needed
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

https://reviewboard.mozilla.org/r/219780/#review225494
Attachment #8950496 - Flags: review+
Attachment #8950496 - Flags: review?(dustin)
Pushed by pmoore@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/72e9066eef54
Update actions to new repo scopes,r=jonasfj. CLOSED TREE
Keywords: checkin-needed
Pushed by nerli@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/4403805b3b66
Update actions to new repo scopes r=jonasfj r=pmoore a=Aryx on a CLOSED TREE
We're sorry - something has gone wrong while rewriting or rebasing your commits. The commits being pushed no longer match what was requested. Please file a bug.
Despite autoland's confusion, this appears to have landed and merged around.

This was exactly the right fix.  I'm sorry to leave it for Brian and Pete to land it.
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED
Please request approval to land this on release branches. It will need a new patch for ESR52.
Flags: needinfo?(bstack)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: bstack → dustin
Flags: needinfo?(bstack)
OK, esr52 doesn't have action tasks, but I can see a similar patch to action.yml that might avoid issues.

I see a recent esr52 push has a decision task with assume:repo:hg.mozilla.org/releases/mozilla-esr52:branch:default and nothing exploded.

So I think we just need to uplift the existing change to the other release branches.
..fishing for a component with uplift flags..
Component: Task Configuration → Build Config
Product: Taskcluster → Core
    [Feature/regressing bug #]: 1437562
    [User impact if declined]: No user impact -- no ability to ship release
    [Describe test coverage new/current, TBPL]: tested on m-c
    [Risks and why]: Low risk - NPOTB
    [String/UUID change made/needed]: none
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

Approval Request Comment
[Feature/Bug causing the regression]: bug 1437562
[User impact if declined]: inability to make release
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: NPOTB
[String changes made/needed]: none
Attachment #8950496 - Flags: approval-mozilla-release?
Attachment #8950496 - Flags: approval-mozilla-beta?
Attached patch esr52.patchSplinter Review
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: allow actions on the esr52 branch
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): low (I don't think actions are used at all on this branch)
String or UUID changes made by this patch: none

This will need to skip mozilla-central and land directly on esr52, as it no longer applies on mozilla-central (this action-task mechanism has been removed).
Attachment #8950698 - Flags: review?(bstack)
Attachment #8950698 - Flags: approval-mozilla-esr52?
Attachment #8950698 - Flags: review?(bstack) → review+
Comment on attachment 8950496 [details]
Bug 1437738 - Update actions to new repo scopes

NPOTB, Beta59+, Release58+
Attachment #8950496 - Flags: approval-mozilla-release?
Attachment #8950496 - Flags: approval-mozilla-release+
Attachment #8950496 - Flags: approval-mozilla-beta?
Attachment #8950496 - Flags: approval-mozilla-beta+
Comment on attachment 8950698 [details] [diff] [review]
esr52.patch

ESR52.7+
Attachment #8950698 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
This already got pushed to beta: https://hg.mozilla.org/releases/mozilla-beta/rev/fc80116ddfa63a8300df745b0078fda6897dd90b
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1438295
Duplicate of this bug: 1438437
Product: Core → Firefox Build System
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.