Audit the scopes granted to the shipit client
Categories
(Release Engineering :: Applications: Shipit, enhancement)
Tracking
(Not tracked)
People
(Reporter: jvehent, Assigned: rail)
References
Details
The ShipIt client project/releng/shipit/production has access to the following scopes: https://tools.taskcluster.net/auth/clients/project%2Freleng%2Fshipit%2Fproduction
We should verify these scopes are as minimal as possible.
|
Assignee | |
Comment 1•5 years ago
|
||
ATM those scopes are necessary. After we resolve bug 1485680, we definitely can remove a bunch of queue:* related scopes. I'll revisit this bug after the switch (hopefully later this month).
|
|
Assignee | |
Comment 2•5 years ago
|
||
I'm going to test this using the staging account first. The current list of the scopes is:
assume:repo:hg.mozilla.org/projects/birch:branch:*
assume:repo:hg.mozilla.org/projects/jamun:branch:*
assume:repo:hg.mozilla.org/projects/maple:branch:*
assume:repo:hg.mozilla.org/try-comm-central:branch:*
assume:repo:hg.mozilla.org/try:branch:*
hooks:trigger-hook:project-comm/in-tree-action-1-generic/*
hooks:trigger-hook:project-comm/in-tree-action-1-release-promotion/*
hooks:trigger-hook:project-comm/in-tree-action-3-generic/*
hooks:trigger-hook:project-comm/in-tree-action-3-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-1-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-3-release-promotion/*
notify:irc-channel:#releaseduty-staging
project:releng:services/shipit_api/rebuild_product_details
project:releng:services/shipit_api/sync_release_datetimes
project:releng:services/shipit_api/sync_releases
project:releng:services/shipit_api/update_release_status
secrets:get:repo:github.com/mozilla-releng/services:branch:master
secrets:get:repo:github.com/mozilla-releng/services:branch:staging
secrets:get:repo:github.com/mozilla-releng/services:branch:testing
secrets:get:repo:github.com/mozilla-releng/services:pull-request
|
|
Assignee | |
Comment 3•5 years ago
|
||
Staging looks good with the following scopes left:
hooks:trigger-hook:project-comm/in-tree-action-1-generic/*
hooks:trigger-hook:project-comm/in-tree-action-1-release-promotion/*
hooks:trigger-hook:project-comm/in-tree-action-3-generic/*
hooks:trigger-hook:project-comm/in-tree-action-3-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-1-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-3-release-promotion/*
notify:irc-channel:#releaseduty-staging
project:releng:services/shipit_api/rebuild_product_details
project:releng:services/shipit_api/sync_release_datetimes
project:releng:services/shipit_api/sync_releases
project:releng:services/shipit_api/update_release_status
secrets:get:repo:github.com/mozilla-releng/services:branch:master
secrets:get:repo:github.com/mozilla-releng/services:branch:staging
secrets:get:repo:github.com/mozilla-releng/services:branch:testing
secrets:get:repo:github.com/mozilla-releng/services:pull-request
|
|
Assignee | |
Comment 4•5 years ago
|
||
Production before:
assume:repo:hg.mozilla.org/releases/comm-beta:branch:*
assume:repo:hg.mozilla.org/releases/comm-esr*
assume:repo:hg.mozilla.org/releases/mozilla-beta:branch:*
assume:repo:hg.mozilla.org/releases/mozilla-esr*
assume:repo:hg.mozilla.org/releases/mozilla-release:branch:*
hooks:trigger-hook:project-comm/in-tree-action-3-generic/*
hooks:trigger-hook:project-comm/in-tree-action-3-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-3-release-promotion/*
notify:irc-channel:#releaseduty
notify:irc-channel:#tbdrivers
project:releng:services/shipit_api/rebuild_product_details
project:releng:services/shipit_api/sync_release_datetimes
project:releng:services/shipit_api/sync_releases
project:releng:services/shipit_api/update_release_status
secrets:get:repo:github.com/mozilla-releng/services:branch:production
|
|
Assignee | |
Comment 5•5 years ago
|
||
Production after:
hooks:trigger-hook:project-comm/in-tree-action-3-generic/*
hooks:trigger-hook:project-comm/in-tree-action-3-release-promotion/*
hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*
hooks:trigger-hook:project-gecko/in-tree-action-3-release-promotion/*
notify:irc-channel:#releaseduty
notify:irc-channel:#tbdrivers
project:releng:services/shipit_api/rebuild_product_details
project:releng:services/shipit_api/sync_release_datetimes
project:releng:services/shipit_api/sync_releases
project:releng:services/shipit_api/update_release_status
secrets:get:repo:github.com/mozilla-releng/services:branch:production
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 6•5 years ago
|
||
I reverted the production client changes. Something didn't work.
|
|
Assignee | |
Comment 7•5 years ago
|
||
Looks like something was missing with the uplift of the task-to-hook patches.
|
|
Assignee | |
Comment 8•5 years ago
|
||
I changed the scopes again, 66.0.3 is out, we can try again.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 9•5 years ago
|
||
I had to add these scopes, because we had to chemspill and the patches are not on the relbranch.
assume:repo:hg.mozilla.org/releases/comm-esr*
assume:repo:hg.mozilla.org/releases/mozilla-esr*
|
|
Assignee | |
Comment 10•5 years ago
|
||
We should be good now. I removed the scopes I added in comment #9.
|
||
Updated•2 years ago
|
Description
•