Implement new scriptworker-script for integrating with Bitrise
Categories
(Release Engineering :: Release Automation, enhancement)
Tracking
(Not tracked)
People
(Reporter: ahal, Assigned: ahal)
References
Details
Attachments
(8 files, 1 obsolete file)
63 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
56 bytes,
text/x-github-pull-request
|
Details | Review | |
60 bytes,
text/x-github-pull-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
Increasingly projects that ship on iOS are relying on Bitrise for their CI/CD needs. While we haven't quite established Bitrise as the recommended place to run iOS CI/CD, we are shaping up towards that point. That said, even if Bitrise were the recommended solution, we don't want to discard the years of other release automation and standards that we have developed in Taskcluster.
It's clear we need some sort of integration between Taskcluster and Bitrise.
The good news is that Bitrise has an API, and you can schedule workflows / pipelines with it. The bad news is that the token used to access the API doesn't have fine grained permissions to schedule specific workflows. This means, there's no way to allow a pull request to run build + test workflows without also allowing them to run release related workflows.
The solution is a new bitrisescript
worker in scriptworker-scripts. With this, we can securely schedule sensitive Bitrise workflows by implementing new scopes that contain the name of the workflow or pipeline to trigger. This will also make scheduling Bitrise pipelines CoT friendly, so we can insert them into the release process (either before or after existing Taskcluster release tasks).
I think we'll have at least two sets of scopes, apps and workflows. E.g task might declare the following scopes:
project:mobile:bitrise:app:firefox-ios
project:mobile:bitrise:workflow:release
In Bitrise, pipelines are a series of workflows. We could either invent a third type of scope for those, e.g:
project:mobile:bitrise:pipeline:release
Or we could use the Bitrise API to retrieve the names of the workflows it runs, then only trigger the pipeline if the task has scopes for all workflows therein. A side effect to this is that we'd need to maintain a list of workflows in the task definitions. On the one hand, this could generate busy work. On the other, it could protect against previously "safe" pipelines being modified to have less safe workflows added. For that reason, I like this approach better.
I don't think it's worth adding a separate scope to control an action
(e.g trigger-workflow
or trigger-pipeline
) like we have in other scripts. I believe the workflow
/ pipeline
scopes already cover this. We can look at adding it in the future if we want to implement additional capabilities beyond triggering workflows.
Comment 1•11 months ago
|
||
Assignee | ||
Comment 2•11 months ago
|
||
Pushed by ahalberstadt@mozilla.com:
https://hg.mozilla.org/ci/ci-configuration/rev/3588bb25386a
Add clients for bitrisescript, r=releng-reviewers,hneiva
Assignee | ||
Updated•11 months ago
|
Comment 4•11 months ago
|
||
Assignee | ||
Comment 5•11 months ago
|
||
Assignee | ||
Comment 6•11 months ago
|
||
Assignee | ||
Updated•11 months ago
|
Assignee | ||
Comment 7•11 months ago
|
||
bitrise.yaml has been added to relengworker sops
Comment 8•11 months ago
|
||
Assignee | ||
Comment 9•11 months ago
|
||
Comment 10•10 months ago
|
||
Pushed by ahalberstadt@mozilla.com:
https://hg.mozilla.org/ci/ci-configuration/rev/3776aedcd300
Add bitrisescript grants for firefox-ios / staging-firefox-ios, r=releng-reviewers,jcristau
Assignee | ||
Comment 11•10 months ago
•
|
||
Missed a couple grants.
Assignee | ||
Updated•10 months ago
|
Assignee | ||
Comment 12•10 months ago
|
||
Assignee | ||
Comment 13•10 months ago
|
||
Comment 14•10 months ago
|
||
https://hg.mozilla.org/ci/ci-configuration/rev/f691705a3c394b049f50efc89404f874d738fbee
Grant firefox-ios / staging-firefox-ios create-task scope for scriptworkers, r=releng-reviewers,jlorenzo,bhearsum
https://hg.mozilla.org/ci/ci-configuration/rev/204e4200ee75d526f007d764826e3c27d849f4a7
Fix firefox-ios workflow name, r=releng-reviewers,jcristau
Assignee | ||
Comment 15•9 months ago
|
||
There's still some follow-up features to add, but I think we can call this done.
Updated•9 months ago
|
Description
•