Automatically run CodeQL jobs on shipped builds
Categories
(Release Engineering :: Release Automation: Other, enhancement)
Tracking
(firefox82 fixed)
Tracking | Status | |
---|---|---|
firefox82 | --- | fixed |
People
(Reporter: tjr, Assigned: Callek)
References
Details
Attachments
(2 files)
When we ship a major release (e.g. 77.0 but not 77.0.1 or 68.2) on the release channel, we would like to automatically run the two codeql jobs (cpp and js). They can be Tier 2.
They can run elsewhere, but it will be wasted resources. (It would really be wasteful to run them on Beta/Nightly/ESR; less wasteful to run on point releases of the release channel.) It makes sense to only have them run after we have decided that this particular build will be the one we ship to users. There's no time desires here.
After the jobs are run I will need to download the artifacts and then upload them somewhere else; so if there was some way of being notified when they ran (success or fail) that would be helpful, because I otherwise don't know how to find the specific treeherder build we shipped to users.
Comment 1•4 years ago
|
||
After the jobs are run I will need to download the artifacts and then upload them somewhere else;
Some more details on this bit might be useful, as that seems like it might be something that could be automated.
Reporter | ||
Comment 2•4 years ago
|
||
(In reply to Tom Prince [:tomprince] from comment #1)
After the jobs are run I will need to download the artifacts and then upload them somewhere else;
Some more details on this bit might be useful, as that seems like it might be something that could be automated.
Probably, but it might be more effort than desired. I have a s3 bucket in our AWS dev account that is public for researchers to download the artifacts: https://bug-bounty-codeql-databases.s3.us-east-2.amazonaws.com/index.html
Presumably some work could be done to store API tokens, rename the file, and then upload it to the bucket which would certainly be nice; but right now my priority is having the builds run automatically so I don't need to bug the releng team to hit the button for me each release.
Assignee | ||
Comment 3•4 years ago
|
||
set this manually for 78.0.2 just now: https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&searchStr=codeql&revision=e56adbbfe01c2443bae35e3d6f34867e36c3828e
Comment 4•4 years ago
|
||
Manual steps:
- Find the release revision in treeherder. One way is to look for the
ship_firefox
task. Another is to follow the links from shipit. - Log in, top right
- Down arrow at the top right of the push ->
Add New Jobs (search)
- Search for
codeql
(may have to use the full list) - select
source-test-codeql-javascript
andbuild-linux64/codeql-cpp
,add selected
,Trigger (2) selected jobs
- They'll appear in treeherder. You can use a tool like
task-progress
to monitor without having to watch the web page.
80.0 https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&revision=bd5d1f49975deb730064a16b3079edb53c4a5f84&searchStr=codeql
79.0 https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&revision=df3ed76cf46b23c9b658cd5be4cdd4162d86f736&searchStr=codeql
Comment 5•4 years ago
|
||
Is there an email list we can use for notifications? If not, who should we email?
Comment 6•4 years ago
|
||
Reporter | ||
Comment 7•4 years ago
|
||
I don't have a list, I'm not sure what the best way to make one would be. You can copy freddy@ for a second person.
Comment 8•4 years ago
|
||
If this sticks, we just need to worry about 81: uplift or manually run. Creating a mailing list would be preferable, in that we can change the list without making in-tree changes and people leaving don't result in bouncing emails. Can be a followup.
Pushed by asasaki@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4fae0d44206b run codeql on firefox ship phase r=releng-reviewers,jlorenzo DONTBUILD
Comment 10•4 years ago
|
||
bugherder |
Comment 11•4 years ago
|
||
run-on-projects: []
should keep us from running this elsewhere. If we do enable it, we don't want to optimize it out.
Comment 12•4 years ago
|
||
Pushed by asasaki@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/464afa57a9c4 don't optimize out codeql-cpp. r=taskgraph-reviewers,bhearsum DONTBUILD
Comment 13•4 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/123d1313ef7e525d3c18ed19e0eb09e20bc9354a
Should run codeql-cpp next cycle.
Comment 14•4 years ago
|
||
bugherder |
Description
•