1586102 - tc-github assumes that repo roles have queue:route:{checks,statuses} and scheduler-id

Status: RESOLVED FIXED

(Taskcluster :: Services, defect)

Description

[Dustin J. Mitchell [:dustin] (he/him)]

In the current deployment, we have
https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2F*

queue:scheduler-id:taskcluster-github
queue:route:statuses
queue:route:checks

and that means that assume:repo:github.com/<whatever> will have those scopes that are otherwise internal to tc-github.

We don't have a way to manage the contents of roles in all deployments, so we need to do this internally. I think that means that tc-github will need to add these scopes to the authorizedScopes that we use to create tasks.

Also, tc-github's scopes are

github:
  - assume:repo:github.com/*
  - assume:scheduler-id:taskcluster-github/*
  - auth:azure-table-access:${azureAccountId}/TaskclusterGithubBuilds
  - auth:azure-table-access:${azureAccountId}/TaskclusterIntegrationOwners
  - auth:azure-table:read-write:${azureAccountId}/TaskclusterGithubBuilds
  - auth:azure-table:read-write:${azureAccountId}/TaskclusterIntegrationOwners
  - auth:azure-table:read-write:${azureAccountId}/TaskclusterChecksToTasks
  - auth:azure-table:read-write:${azureAccountId}/TaskclusterCheckRuns

so those will need to be adjusted to contain these scopes, as they will no longer be implied by the assume:repo:github.com/* role.

Comment 1

[Dustin J. Mitchell [:dustin] (he/him)]

I will (tomorrow) temporarily add these scopes to the role so that I can continue on trying to get rust-hawk to run :)

Comment 2

[Dustin J. Mitchell [:dustin] (he/him)]

https://github.com/taskcluster/taskcluster/pull/1484

Comment 3

[Dustin J. Mitchell [:dustin] (he/him)]

(community-tc-config will remove those scopes on its own)