Actions don't work in Github pull-requests
Categories
(Release Engineering :: Firefox-CI Administration, defect)
Tracking
(Not tracked)
People
(Reporter: ahal, Unassigned)
References
Details
For awhile now I've noticed that you can't seem to run actions on a task created from a Github pull-request. I don't know if this is universal (I suspect it is), but I've at least noticed it on app-services
, mozilla-vpn-client
and taskgraph
.
Here's an example when I try to do the rerun
action:
The role hook-id:project-mozillavpn/in-tree-action-1-generic/64e4ae3879 does not have sufficient scopes to create the task:
Client ID static/taskcluster/hooks does not have sufficient scopes and is missing the following scopes:
{
"AllOf": [
"assume:repo:github.com/mozilla-mobile/mozilla-vpn-client:action:generic",
"queue:route:tc-treeherder.v2.mozilla-vpn-client.dc99636cd956ad357a8e8894e2de70c90cfb9552",
"queue:scheduler-id:mozillavpn-level-3",
{
"AnyOf": [
"queue:create-task:highest:mozillavpn-3/decision",
"queue:create-task:very-high:mozillavpn-3/decision",
"queue:create-task:high:mozillavpn-3/decision",
"queue:create-task:medium:mozillavpn-3/decision",
"queue:create-task:low:mozillavpn-3/decision",
"queue:create-task:very-low:mozillavpn-3/decision",
"queue:create-task:lowest:mozillavpn-3/decision"
]
}
]
}
This request requires the client to satisfy the following scope expression:
{
"AllOf": [
"assume:repo:github.com/mozilla-mobile/mozilla-vpn-client:action:generic",
"queue:route:checks",
"queue:route:tc-treeherder.v2.mozilla-vpn-client.dc99636cd956ad357a8e8894e2de70c90cfb9552",
"queue:create-task:project:none",
"queue:scheduler-id:mozillavpn-level-3",
{
"AnyOf": [
"queue:create-task:highest:mozillavpn-3/decision",
"queue:create-task:very-high:mozillavpn-3/decision",
"queue:create-task:high:mozillavpn-3/decision",
"queue:create-task:medium:mozillavpn-3/decision",
"queue:create-task:low:mozillavpn-3/decision",
"queue:create-task:very-low:mozillavpn-3/decision",
"queue:create-task:lowest:mozillavpn-3/decision"
]
}
]
}
I've always just sort of shrugged when I saw this, but today I decided to dig into it. I noticed that in the full TC config, the hook-id:project-mozillavpn/in-tree-action-1-generic/*
role only had scopes to assume the staging-mozilla-vpn-client
repo (but not the main mozilla-vpn-client
repo).
This was strange so after some time staring at projects.yml
, actions.yml
and grants.yml
and finding no discernible difference between the two, I dug into the code that generates these roles.
Turns out there's a bug here:
https://hg.mozilla.org/ci/ci-configuration/file/ba5e3180c580d6cee523744777df0a8e39a0c194/src/ciadmin/generate/in_tree_actions.py#l276
This is supposed to build a dict that looks like:
{
(<trust_domain>, <level>): [<project>]
}
But notice how it only appends projects based on their level defined in the projects.yml
. So in our example, the expected result should be:
{
("mozillavpn", 3): ["mozilla-vpn-client"],
("mozillavpn", 1): ["mozilla-vpn-client", "staging-mozilla-vpn-client],
}
Instead we get:
{
("mozillavpn", 3): ["mozilla-vpn-client"],
("mozillavpn", 1): ["staging-mozilla-vpn-client],
}
This explains why the hook only assumes the staging
repo in its scopes and not the main one. The fix is to append projects to all levels <= their defined level. Rather than only their defined level.
I am a bit confused if this is a regression, or if actions in pull requests have just been broken since the dawn of time.
Reporter | ||
Comment 1•2 years ago
|
||
Hm, this is probably by design as those repo:github.com/mozilla-mobile/mozilla-vpn-client:action:generic
roles have level 3 roles in them. Is there a reason we don't have scopes for level 1 actions? I guess further investigation is needed.
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Comment 2•2 years ago
•
|
||
Aki, any chance you have context to add? I'm guessing this is tricky due to the PR repo not necessarily being the same as the main repo. Do you recall if there have been any attempts to fix this in the past?
Comment 3•2 years ago
|
||
-
the level comes from the repo, because we don't set level based on branch. For main-repo development branches, this means we get level 3 tasks when we should probably get level 1 tasks. We should likely encode release branch patterns into .tc.yml and only set those branches to level 3; the rest should be level 1. https://github.com/mozilla-mobile/fenix/blob/b4bc3918a8532f8382b69bc9e8104e21f01d6b97/.taskcluster.yml#L89-L92
-
For non-main-repo pull-requests, this generally means we don't get any action scopes, because the repository of record for the pull request is not enabled in ci-config. Because a pull request for a repo can come from just about any repository on Github, we have no way of granting scopes to all possible source repos, other than granting those scopes to the entire internet.
However, I have heard that one or more intelligent and talented folks are hacking on tc-github. tc-github specifies what scopes we're going to grant to a given task from a given event, possibly in conjunction with taskgraph. Someone with motivation, skill, taskgraph know-how, and maybe some luck, could, potentially, alter the scopes that we grant to an action on a pull request to be level-1 but base it on the target repo.
This is a fairly large change, if it's even technically feasible. We likely want to discuss/propose/RFC/RRA this idea. But that change could fix a lot of what makes Github taskgraph + taskcluster difficult to use.
Updated•1 year ago
|
Updated•8 months ago
|
Updated•8 months ago
|
Description
•