Bug 1597598 - fix check_ci_groups_trigger_hook with allowlist. r=tomprince
authorAki Sasaki <asasaki@mozilla.com>
Fri, 05 Jun 2020 17:27:53 +0000
changeset 234 947e18c353cbfb4d3aebc5b5fe5dc9525c288510
parent 233 4a787c62d44e36e901fb463b8686bdb3ea1d5ce0
child 235 c8bea4226f75714cd1bc65b750df5515d0a21ce4
push id169
push userasasaki@mozilla.com
push dateFri, 05 Jun 2020 17:28:44 +0000
treeherderci-admin@947e18c353cb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstomprince
bugs1597598
Bug 1597598 - fix check_ci_groups_trigger_hook with allowlist. r=tomprince Differential Revision: https://phabricator.services.mozilla.com/D78444
src/ciadmin/check/check_hg_push_scopes.py
--- a/src/ciadmin/check/check_hg_push_scopes.py
+++ b/src/ciadmin/check/check_hg_push_scopes.py
@@ -75,14 +75,17 @@ def check_repos_create_task(repo_roles, 
     """
     for roleId, role_scopes in repo_roles.items():
         for queue_scope in create_task_scopes:
             assert not satisfies(role_scopes, [queue_scope])
 
 
 def check_ci_groups_trigger_hook(ci_group_roles, hg_push_hooks):
     """
-    Verify that no ci-groups have permission to trigger hg-push hooks
+    Verify only allow-listed ci-groups have permission to trigger hg-push hooks
     """
     for roleId, role_scopes in ci_group_roles.items():
+        # allowlist
+        if roleId in ("project:releng:ci-group:sheriff", "project:releng:ci-group:releng"):
+            continue
         for hookId in hg_push_hooks:
             hook_scope = "hooks:trigger-hook:hg-push/" + hookId
             assert not satisfies(role_scopes, [hook_scope])