Closed Bug 1599236 Opened 6 years ago Closed 6 years ago

Grant hooks:trigger-hook:project-gecko/in-tree-action-1-generic/* to project:relman:code-review/runtime/{testing,production}

Categories

(Release Engineering :: Firefox-CI Administration, task)

Product:
Release Engineering
Component:
Firefox-CI Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: marco, Assigned: jlorenzo)

Details

Attachments

(1 file)

Bug 1599236 - Grant hooks:trigger-hook:project-gecko/in-tree-action-1-generic/* to project:relman:code-review/runtime/{testing,production} r=tomprince
47 bytes, text/x-phabricator-request
Details | Review

The code review bot will need to add new jobs to try pushes, so it needs the trigger scopes (hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*).

project:relman:code-review/runtime/testing
project:relman:code-review/runtime/production

Could you grant them?

Assignee: nobody → jlorenzo

I chatted with Marco regarding the need: the code-review bot has to add new jobs. Therefore, the only action in actions.json[1] it should need is add-new-jobs. I was originally concerned by the fact release promotion can be triggered by the bot since it's present in actions.json. That said it's the only action that has its own permission. I guess that explains why it has its own dedicated scope[3]. Although, I noticed in-tree-action-3-cancel-all/*[4] exists while being part of the generic pool. So, I looked at the available in-tree-action hooks[5] and saw some of them exist, but not all.

Therefore my questions are the following: should we create a dedicated hook so the bot has access to what it strictly needs? If so, how should we do it? What do you think, Tom?

In the meantime, I put a patch to grant generic. This way, Marco is unblocked.

[1] For instance https://firefoxci.taskcluster-artifacts.net/AuvjhJ_1SG-jH-xtFOlJlw/0/public/actions.json
[2] Seach for "actionPerm" in [1] => see everything is generic but release-promotion
[3] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1645
[4] https://hg.mozilla.org/ci/ci-configuration/file/7daf0db905e62551043ba26bdf1a33c16810aa9a/grants.yml#l1630
[5] https://firefox-ci-tc.services.mozilla.com/hooks?search=in-tree-action-

Oops, I forgot to add the NI in comment 2 😅 Closing the bug as fixed and adding the NI to see if we can improve the situation described in the previous comment.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mozilla)
Resolution: --- → FIXED

I don't think it worth it to split the actions up further. The generic hook is for actions that don't need any additional permissions above what the on-push tasks have.

Flags: needinfo?(mozilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: