tc-github assumes that repo roles have queue:route:{checks,statuses} and scheduler-id
Categories
(Taskcluster :: Services, defect)
Tracking
(Not tracked)
People
(Reporter: dustin, Assigned: dustin)
References
Details
In the current deployment, we have
https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2F*
queue:scheduler-id:taskcluster-github
queue:route:statuses
queue:route:checks
and that means that assume:repo:github.com/<whatever>
will have those scopes that are otherwise internal to tc-github.
We don't have a way to manage the contents of roles in all deployments, so we need to do this internally. I think that means that tc-github will need to add these scopes to the authorizedScopes that we use to create tasks.
Also, tc-github's scopes are
github:
- assume:repo:github.com/*
- assume:scheduler-id:taskcluster-github/*
- auth:azure-table-access:${azureAccountId}/TaskclusterGithubBuilds
- auth:azure-table-access:${azureAccountId}/TaskclusterIntegrationOwners
- auth:azure-table:read-write:${azureAccountId}/TaskclusterGithubBuilds
- auth:azure-table:read-write:${azureAccountId}/TaskclusterIntegrationOwners
- auth:azure-table:read-write:${azureAccountId}/TaskclusterChecksToTasks
- auth:azure-table:read-write:${azureAccountId}/TaskclusterCheckRuns
so those will need to be adjusted to contain these scopes, as they will no longer be implied by the assume:repo:github.com/*
role.
Assignee | ||
Comment 1•5 years ago
|
||
I will (tomorrow) temporarily add these scopes to the role so that I can continue on trying to get rust-hawk to run :)
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
(community-tc-config will remove those scopes on its own)
Description
•