firefox-android: Stop using fennec-related scopes
Categories
(Release Engineering :: General, task)
Tracking
(firefox111 fixed, firefox112 fixed, firefox113 fixed)
People
(Reporter: jlorenzo, Assigned: gbrown)
References
Details
Attachments
(5 files)
59 bytes,
text/x-github-pull-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
59 bytes,
text/x-github-pull-request
|
dmeehan
:
approval-mozilla-release+
|
Details | Review |
59 bytes,
text/x-github-pull-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
In bug 1808607, we quite lately realized we still required some fennec scopes. In bug 1812983, we took care of the Google Play config. Let's handle signing keys and other fennec-related scopes.
![]() |
Assignee | |
Comment 1•2 years ago
|
||
:jlorenzo - What did you have in mind here?
The only remaining "fennec" grant is project:mobile:firefox-android:releng:signing:cert:fennec-production-signing
: https://hg.mozilla.org/ci/ci-configuration/annotate/21f22b8337ce1c3d0f6fabc708671d8d0fb10702/grants.yml#l1729 . The firefox-android repo refers to that scope via https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/android_taskgraph/transforms/signing_apk.py#L78
firefox-android's push-apk kind also references fennec certificate-alias, https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/ci/push-apk/kind.yml#L38, and channels, https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/ci/push-apk/kind.yml#L49 and I see fennec references in the push-apk scriptworker, https://github.com/mozilla-releng/scriptworker-scripts/blob/master/pushapkscript/docker.d/worker.yml#L24.
The current state seems harmless to me: I'm tempted to wontfix this, but open to other ideas.
Reporter | ||
Comment 2•2 years ago
|
||
Thank you for you extensive analysis, :gbrown! I agree, my couple sentences were quite cryptic 😅 The push-apk kind[1] you highlighted shows the issue best, in my opinion:
certificate-alias:
by-build-type:
fenix-nightly: fenix-production
fenix-beta: fennec-beta
fenix-release: fennec-production
To me, we should name the fenix-nightly
certificate into fenix-nightly
instead of fenix-production
. A newcomer on the project may righteously believe fenix-production
is used to sign fenix-release
. I agree it's not a big deal, it's just some cleanup we could do for future readers.
In other words, I'd recommend:
- renaming
fenix-production
intofenix-nightly
- renaming the
fennec-
prefix - stop using the word
production
since it duplicatesrelease
How does that sound to you, :gbrown?
![]() |
Assignee | |
Updated•2 years ago
|
Comment 3•2 years ago
|
||
![]() |
Assignee | |
Comment 4•2 years ago
|
||
(In reply to Johan Lorenzo [:jlorenzo] from comment #2)
How does that sound to you, :gbrown?
That sounds good - should work out nicely.
Comment 5•2 years ago
|
||
![]() |
Assignee | |
Comment 6•2 years ago
•
|
||
Review of .pem files in pushapkscript:
- dep.pem is completely unreferenced; let's delete it
- mozillavpn.pem, reference_browser_(dep|release).pem, and focus_(dep|release).pem are consistently named and referenced -- let's keep those untouched
- *_dep.pem are consistently named and referenced in the non-prod environment; let's keep those untouched
import_cert fenix $CERT_DIR/fenix_dep.pem
import_cert focus $CERT_DIR/focus_dep.pem
import_cert reference-browser $CERT_DIR/reference_browser_dep.pem
- the remaining fennec/fenix cases are confusing and inconsistent:
import_cert fennec-nightly $CERT_DIR/nightly.pem
import_cert fennec-beta $CERT_DIR/release.pem
import_cert fennec-production $CERT_DIR/release.pem
import_cert fenix-nightly $CERT_DIR/fenix_nightly.pem
import_cert fenix-beta $CERT_DIR/fenix_beta.pem
import_cert fenix-production $CERT_DIR/fenix_production.pem
Note that release.pem
is used for both fennec-beta
and fennec-production
: 5 .pem files map to 6 certificate-aliases.
![]() |
Assignee | |
Comment 7•2 years ago
•
|
||
The mapping in worker.yml of fennec/fenix certificate aliases is also inconsistent.
Prod:
fennec-beta:
package_names: [ "org.mozilla.firefox_beta" ]
certificate_alias: 'fennec-beta'
google:
default_track: 'alpha'
service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_BETA" }
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_BETA_PATH" }
fennec-production:
package_names: [ "org.mozilla.firefox" ]
certificate_alias: 'fennec-production'
google:
default_track: 'alpha'
service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_RELEASE" }
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_RELEASE_PATH" }
production:
package_names: [ "org.mozilla.fenix" ]
certificate_alias: 'fenix-production'
google:
default_track: 'production'
service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_NIGHTLY" }
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_NIGHTLY_PATH" }
Non-prod:
fennec-nightly:
package_names: [ "org.mozilla.fennec_aurora" ]
certificate_alias: 'fennec-nightly'
google:
default_track: 'beta'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
fennec-beta:
package_names: [ "org.mozilla.firefox_beta" ]
certificate_alias: 'fennec-beta'
google:
default_track: 'alpha'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
fennec-production:
package_names: [ "org.mozilla.firefox" ]
certificate_alias: 'fennec-production'
google:
default_track: 'alpha'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
nightly:
package_names: [ "org.mozilla.fenix.nightly" ]
certificate_alias: 'fenix-nightly'
google:
default_track: 'beta'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
beta:
package_names: [ "org.mozilla.fenix.beta" ]
certificate_alias: "fenix-beta"
google:
default_track: 'beta-closed'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
production:
package_names: [ "org.mozilla.fenix" ]
certificate_alias: 'fenix-production'
google:
default_track: 'internal'
service_account: 'dummy'
credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
Note that certificate aliases fennec-beta
, fennec-production
, and fenix-production
are used in both prod and non-prod environment: 6 certificate aliases map to 9 apps (6 unique app names).
fennec-nightly
(non-prod) references package name org.mozilla.fennec_aurora
; all others reference firefox/fenix package names.
![]() |
Assignee | |
Comment 8•2 years ago
•
|
||
In the firefox-android
repo, the push-apk
kind maps:
certificate-alias:
by-build-type:
fenix-nightly: fenix-production
fenix-beta: fennec-beta
fenix-release: fennec-production
These values are sent as the certificate_alias
of the task payload, but, afaict, pushapk does not use them (it uses the certificate_alias
associated with the app in worker.yml). Rename them here as desired?
Are channels
also relevant here?
channel:
by-build-type:
fenix-nightly: production
fenix-release: fennec-production
fenix-beta: fennec-beta
![]() |
Assignee | |
Comment 9•2 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #8)
Are
channels
also relevant here?
It's complicated, but yes.
The pushapkscript config includes override_channel_model
; if "single_google_app" (used for reference-browser and mozillavpn), the task's channel
is used as the google_track
.
override_channel_model
can also be "choose_google_app_with_scope", but that appears to be unused.
If override_channel_model
is not specified (focus, fenix), the task's channel
is used as an apps
sub-key in the product config.
We probably want:
fenix-nightly: production -> fenix-nightly
fenix-beta: fennec-beta -> fenix-beta
fenix-release: fennec-production -> fenix-release
Comment 10•2 years ago
|
||
Comment 11•2 years ago
|
||
![]() |
Assignee | |
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Comment 13•2 years ago
|
||
![]() |
Assignee | |
Comment 14•2 years ago
|
||
Comment on attachment 9324461 [details] [review]
[mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1365)
Beta/Release Uplift Approval Request
- User impact if declined: Uplift needed so new channel names are used on all branches, enabling further cleanup in pushapkscript.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Change limited to push-apk tasks. Nightlies appear to be working fine.
- String changes made/needed: no
- Is Android affected?: Yes
![]() |
Assignee | |
Comment 15•2 years ago
|
||
Comment on attachment 9324460 [details] [review]
[mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1364)
Beta/Release Uplift Approval Request
- User impact if declined: Uplift needed so new channel names are used on all branches, enabling further cleanup in pushapkscript.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Change limited to push-apk tasks. Nightlies appear to be working fine.
- String changes made/needed: no
- Is Android affected?: Yes
Comment 16•2 years ago
|
||
Comment 17•2 years ago
|
||
Comment 18•2 years ago
|
||
Comment 19•2 years ago
|
||
![]() |
Assignee | |
Updated•2 years ago
|
Description
•