Closed Bug 1644574 Opened 4 years ago Closed 4 years ago

Automatically run CodeQL jobs on shipped builds

Categories

(Release Engineering :: Release Automation: Other, enhancement)

Product:
Release Engineering
Component:
Release Automation: Other
Type:
enhancement

Tracking

(firefox82 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox82 --- fixed

People

(Reporter: tjr, Assigned: Callek)

References

Details

Attachments

(2 files)

Bug 1644574 - run codeql on firefox ship phase
47 bytes, text/x-phabricator-request
Details | Review
Bug 1644574 - don't optimize out codeql-cpp. r=#taskgraph-reviewers
47 bytes, text/x-phabricator-request
Details | Review

When we ship a major release (e.g. 77.0 but not 77.0.1 or 68.2) on the release channel, we would like to automatically run the two codeql jobs (cpp and js). They can be Tier 2.

They can run elsewhere, but it will be wasted resources. (It would really be wasteful to run them on Beta/Nightly/ESR; less wasteful to run on point releases of the release channel.) It makes sense to only have them run after we have decided that this particular build will be the one we ship to users. There's no time desires here.

After the jobs are run I will need to download the artifacts and then upload them somewhere else; so if there was some way of being notified when they ran (success or fail) that would be helpful, because I otherwise don't know how to find the specific treeherder build we shipped to users.

After the jobs are run I will need to download the artifacts and then upload them somewhere else;

Some more details on this bit might be useful, as that seems like it might be something that could be automated.

(In reply to Tom Prince [:tomprince] from comment #1)

After the jobs are run I will need to download the artifacts and then upload them somewhere else;

Some more details on this bit might be useful, as that seems like it might be something that could be automated.

Probably, but it might be more effort than desired. I have a s3 bucket in our AWS dev account that is public for researchers to download the artifacts: https://bug-bounty-codeql-databases.s3.us-east-2.amazonaws.com/index.html

Presumably some work could be done to store API tokens, rename the file, and then upload it to the bucket which would certainly be nice; but right now my priority is having the builds run automatically so I don't need to bug the releng team to hit the button for me each release.

Manual steps:

  1. Find the release revision in treeherder. One way is to look for the ship_firefox task. Another is to follow the links from shipit.
  2. Log in, top right
  3. Down arrow at the top right of the push -> Add New Jobs (search)
  4. Search for codeql (may have to use the full list)
  5. select source-test-codeql-javascript and build-linux64/codeql-cpp, add selected, Trigger (2) selected jobs
  6. They'll appear in treeherder. You can use a tool like task-progress to monitor without having to watch the web page.

80.0 https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&revision=bd5d1f49975deb730064a16b3079edb53c4a5f84&searchStr=codeql
79.0 https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&revision=df3ed76cf46b23c9b658cd5be4cdd4162d86f736&searchStr=codeql

Is there an email list we can use for notifications? If not, who should we email?

Flags: needinfo?(tom)

I don't have a list, I'm not sure what the best way to make one would be. You can copy freddy@ for a second person.

Flags: needinfo?(tom)

If this sticks, we just need to worry about 81: uplift or manually run. Creating a mailing list would be preferable, in that we can change the list without making in-tree changes and people leaving don't result in bouncing emails. Can be a followup.

Pushed by asasaki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4fae0d44206b
run codeql on firefox ship phase r=releng-reviewers,jlorenzo DONTBUILD

https://hg.mozilla.org/mozilla-central/rev/4fae0d44206b

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox82: --- → fixed
Resolution: --- → FIXED

run-on-projects: [] should keep us from running this elsewhere. If we do enable it, we don't want to optimize it out.

Pushed by asasaki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/464afa57a9c4
don't optimize out codeql-cpp. r=taskgraph-reviewers,bhearsum DONTBUILD
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: