Closed Bug 1876573 Opened 1 year ago Closed 9 months ago

Implement new scriptworker-script for integrating with Bitrise

Categories

(Release Engineering :: Release Automation, enhancement)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ahal, Assigned: ahal)

References

Details

Attachments

(8 files, 1 obsolete file)

63 bytes, text/x-github-pull-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
56 bytes, text/x-github-pull-request
Details | Review
60 bytes, text/x-github-pull-request
Details | Review
63 bytes, text/x-github-pull-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

Increasingly projects that ship on iOS are relying on Bitrise for their CI/CD needs. While we haven't quite established Bitrise as the recommended place to run iOS CI/CD, we are shaping up towards that point. That said, even if Bitrise were the recommended solution, we don't want to discard the years of other release automation and standards that we have developed in Taskcluster.

It's clear we need some sort of integration between Taskcluster and Bitrise.

The good news is that Bitrise has an API, and you can schedule workflows / pipelines with it. The bad news is that the token used to access the API doesn't have fine grained permissions to schedule specific workflows. This means, there's no way to allow a pull request to run build + test workflows without also allowing them to run release related workflows.

The solution is a new bitrisescript worker in scriptworker-scripts. With this, we can securely schedule sensitive Bitrise workflows by implementing new scopes that contain the name of the workflow or pipeline to trigger. This will also make scheduling Bitrise pipelines CoT friendly, so we can insert them into the release process (either before or after existing Taskcluster release tasks).

I think we'll have at least two sets of scopes, apps and workflows. E.g task might declare the following scopes:

project:mobile:bitrise:app:firefox-ios
project:mobile:bitrise:workflow:release

In Bitrise, pipelines are a series of workflows. We could either invent a third type of scope for those, e.g:

project:mobile:bitrise:pipeline:release

Or we could use the Bitrise API to retrieve the names of the workflows it runs, then only trigger the pipeline if the task has scopes for all workflows therein. A side effect to this is that we'd need to maintain a list of workflows in the task definitions. On the one hand, this could generate busy work. On the other, it could protect against previously "safe" pipelines being modified to have less safe workflows added. For that reason, I like this approach better.

I don't think it's worth adding a separate scope to control an action (e.g trigger-workflow or trigger-pipeline) like we have in other scripts. I believe the workflow / pipeline scopes already cover this. We can look at adding it in the future if we want to implement additional capabilities beyond triggering workflows.

Depends on: 1877285

Pushed by ahalberstadt@mozilla.com:
https://hg.mozilla.org/ci/ci-configuration/rev/3588bb25386a
Add clients for bitrisescript, r=releng-reviewers,hneiva

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached file GitHub Pull Request: k8s-autoscale (obsolete) —
Attachment #9387871 - Attachment is obsolete: true

bitrise.yaml has been added to relengworker sops

Pushed by ahalberstadt@mozilla.com:
https://hg.mozilla.org/ci/ci-configuration/rev/3776aedcd300
Add bitrisescript grants for firefox-ios / staging-firefox-ios, r=releng-reviewers,jcristau

Status: REOPENED → RESOLVED
Closed: 11 months ago10 months ago
Resolution: --- → FIXED

Missed a couple grants.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Keywords: leave-open

https://hg.mozilla.org/ci/ci-configuration/rev/f691705a3c394b049f50efc89404f874d738fbee
Grant firefox-ios / staging-firefox-ios create-task scope for scriptworkers, r=releng-reviewers,jlorenzo,bhearsum
https://hg.mozilla.org/ci/ci-configuration/rev/204e4200ee75d526f007d764826e3c27d849f4a7
Fix firefox-ios workflow name, r=releng-reviewers,jcristau

There's still some follow-up features to add, but I think we can call this done.

Status: REOPENED → RESOLVED
Closed: 10 months ago9 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: