Closed Bug 1517754 Opened 6 years ago Closed 6 years ago

Run monorepo tests on PRs from other orgs

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

Currently: > No Taskcluster jobs started for this pull request but at least *some* of those tasks can run on untrusted code.
Which specifically tasks can be run for non-collaborators?

Irene, I think we can tell which by looking at the policies for the .taskcluster.yml's for the original repos.

The tasks in .taskcluster.yml have assume:project:taskcluster:tests:taskcluster which lists

  • secrets:get:project/taskcluster/testing/taskcluster-auth
    • azure access to jungle account
    • aws access to test-bucket-for-any-garbage
  • secrets:get:project/taskcluster/testing/taskcluster-github
    • clientId with
      • auth:azure-table:read-write:jungle/TaskclusterCheckRuns*
      • auth:azure-table:read-write:jungle/TaskclusterGithubBuilds*
      • auth:azure-table:read-write:jungle/TaskclusterIntegrationOwners*
  • secrets:get:project/taskcluster/testing/taskcluster-hooks
    • clientId with
      • assume:hook-id:tc-hooks-tests/tc-test-hook
      • auth:azure-table:read-write:jungle/HooksTestTable*
      • auth:azure-table:read-write:jungle/LastFireTestTable*
      • auth:azure-table:read-write:jungle/QueueTestTable*
      • project:taskcluster:tests:tc-hooks:scope/required/for/task/1
      • queue:create-task:no-provisioner/test-worker
  • secrets:get:project/taskcluster/testing/taskcluster-index
    • clientId with
      • auth:azure-table:read-write:jungle/DummyTestIndexedTasks*
      • auth:azure-table:read-write:jungle/DummyTestNamespaces*
  • secrets:get:project/taskcluster/testing/taskcluster-notify
    • aws access to send test emails to a whitelist of addresss, enqueue messages in a test SQS queue
  • secrets:get:project/taskcluster/testing/taskcluster-purge-cache
    • clientId with
      • auth:azure-table:read-write:jungle/CachePurges*
  • secrets:get:project/taskcluster/testing/taskcluster-queue
    • clientId with
      • auth:azure-table:read-write:jungle/Artifacts*
      • auth:azure-table:read-write:jungle/Provisioner*
      • auth:azure-table:read-write:jungle/Task*
      • auth:azure-table:read-write:jungle/Worker*
    • aws access to test-bucket-for-any-garbage
    • azure access to jungle account
  • secrets:get:project/taskcluster/testing/taskcluster-secrets
    • clientId with
      • auth:azure-table:read-write:jungle/SecretsTestTable*

As for the old policies:

  • tc-auth -- collaborators
  • tc-github -- public
  • tc-hooks -- public
  • tc-index -- default (collaborators)
  • tc-notify -- default (collaborators)
  • tc-purge-cache -- default (collaborators)
  • tc-secrets -- public

I suspect that the defaults were just things we never noticed.

I don't see anything scary in those secrets in the previous comment, though. Basically: jungle access to Azure, and test-bucket-for-any-garbage in S3 (which has a short lifetime policy on it), as well as an SES queue with whitelisted destination addresses and an SQS queue that's dedicated to testing.

I think we should just open this up to public. Any other thoughts?

Assignee: nobody → dustin
Component: General → Platform and Services
Flags: needinfo?(bstack)

Seems fine to me!

Flags: needinfo?(bstack)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Component: Platform and Services → Services
You need to log in before you can comment on or make changes to this bug.