Bug 1680809 - Clean up thunderbird-sheriff/releng access. r=releng-reviewers,aki
Effectively this change will give justdave the ability to update Treestatus.
Jorg is no longer with the project and his LDAP account is deactivated.
Differential Revision: https://phabricator.services.mozilla.com/D98804
# Grants of scopes to repos or user groups, or parts of projects## Format:# - grant:# - <scope># - ..# to:# - <grantee># - ..## The `grant` property specifies the scopes to be granted. Each will have {..}# parameters expanded with parameters from the grantees selected.## ## Projects## A grantee can either be a project or a user group. A project looks like this:## - projects:# level: [2, 3] # condition# job: ["branch:default", "cron:*"]## The top-level property can be `projects` or `project`, whichever reads better.## The conditions select matching projects from projects.yml. Each specifies a# condition name and either a single value or an array of values. For an array# of values, a project with any value in the array is matched. The conditions# are AND'ed together. Available conditions are:## * access# * level (as derived from access or directly specified)# * alias# * feature (projects with the given feature or for `!feature`, projects without)# * is_try (true/false)# * trust_domain# * job## "job" is a little special: it is a list of the jobs on the matching projects# to which the grant applies. These are suffixes to the `repo` roles,# defaulting to "*":## * * (all jobs on the repo)# * branch:default (pushes to the repo)# * cron:<job> (cron jobs; kleene-* is allowed)# * action:<actionPerm> (action jobs; kleene-* is allowed)## the following expansions of the granted scopes are performed:## * {alias} (project alias)# * {level} (numeric level; not substituted if this repo has no numeric level)# * {repo_path} (path within repository (e.g. hg.mozilla.org or github.com, if repo is on that host)# * {trust_domain}## ## User Groups## A user group grantee looks like this:## - group: <groupName># or# - groups: [<group1>, <group2>, ..]## The property name can be `group` or `groups`, whichever reads better.## The resulting scopes are granted to role `project:releng:ci-group:<groupName>`.# Then `assume:project:releng:ci-group:<groupName>` to the appropriate access-control# role, hopefully with the same name. This indirection exists because `mozilla-group`# role changes need access to the cluster's root crendentials.## No expansions are available for user groups.---# Platform roles-grant:# Scopes assigned to credentials generated by taskcluster-login; so, to human users.# The `*` matches the user's identity as defined by the taskcluster-login service.-auth:create-client:<..>/*-auth:delete-client:<..>/*-auth:reset-access-token:<..>/*-auth:update-client:<..>/*-queue:get-artifact:login-identity/<..>/*-queue:create-task:highest:built-in/succeed-queue:create-task:highest:built-in/failto:-roles:-login-identity:*-grant:-queue:claim-work:<..>-queue:worker-id:*-secrets:get:worker-type:<..>-secrets:get:worker-pool:<..>to:-roles:-worker-type:*-grant:-auth:websocktunnel-token:firefoxcitc/*to:-roles:-worker-type:*environments:firefoxci-grant:-auth:websocktunnel-token:cloudopsstage/*to:-roles:-worker-type:*environments:staging-grant:-auth:sentry:generic-workerto:-roles:-worker-type:releng-hardware/*### scopes for all gecko-related projects-grant:# coalescing routes support dropping unnecessary tasks under load-queue:route:coalesce.v1.{alias}.*# allow fetching secrets appropriate to this level-secrets:get:project/releng/{trust_domain}/build/level-{level}/*# Provide access to sccache buckets-assume:project:taskcluster:{trust_domain}:level-{level}-sccache-bucketsto:-project:feature:gecko-roles-grant:# access to workers; all levels have access to the same workers, but at# different priorities and levels-queue:create-task:{priority}:scriptworker-k8s/{trust_domain}-{level}-*-queue:create-task:{priority}:scriptworker-k8s/{trust_domain}-t-*to:-project:feature:gecko-rolestrust_domain:[gecko,comm]-grant:-auth:aws-s3:read-write:comm-central-level-1-sccache-eu-central-1/*-auth:aws-s3:read-write:comm-central-level-1-sccache-us-east-1/*-auth:aws-s3:read-write:comm-central-level-1-sccache-us-west-1/*-auth:aws-s3:read-write:comm-central-level-1-sccache-us-west-2/*to:-role:-project:taskcluster:comm:level-1-sccache-buckets-grant:-auth:aws-s3:read-write:comm-central-level-2-sccache-eu-central-1/*-auth:aws-s3:read-write:comm-central-level-2-sccache-us-east-1/*-auth:aws-s3:read-write:comm-central-level-2-sccache-us-west-1/*-auth:aws-s3:read-write:comm-central-level-2-sccache-us-west-2/*to:-role:-project:taskcluster:comm:level-2-sccache-buckets-grant:-auth:aws-s3:read-write:comm-central-level-3-sccache-eu-central-1/*-auth:aws-s3:read-write:comm-central-level-3-sccache-us-east-1/*-auth:aws-s3:read-write:comm-central-level-3-sccache-us-west-1/*-auth:aws-s3:read-write:comm-central-level-3-sccache-us-west-2/*to:-role:-project:taskcluster:comm:level-3-sccache-buckets-grant:-auth:aws-s3:read-write:taskcluster-level-1-sccache-eu-central-1/*-auth:aws-s3:read-write:taskcluster-level-1-sccache-us-east-1/*-auth:aws-s3:read-write:taskcluster-level-1-sccache-us-west-1/*-auth:aws-s3:read-write:taskcluster-level-1-sccache-us-west-2/*-auth:gcp:access-token:sccache-3/sccache-l1*to:-role:-project:taskcluster:gecko:level-1-sccache-buckets-grant:-auth:aws-s3:read-write:taskcluster-level-2-sccache-eu-central-1/*-auth:aws-s3:read-write:taskcluster-level-2-sccache-us-east-1/*-auth:aws-s3:read-write:taskcluster-level-2-sccache-us-west-1/*-auth:aws-s3:read-write:taskcluster-level-2-sccache-us-west-2/*-auth:gcp:access-token:sccache-3/sccache-l2*to:-role:-project:taskcluster:gecko:level-2-sccache-buckets-grant:-auth:aws-s3:read-write:taskcluster-level-3-sccache-eu-central-1/*-auth:aws-s3:read-write:taskcluster-level-3-sccache-us-east-1/*-auth:aws-s3:read-write:taskcluster-level-3-sccache-us-west-1/*-auth:aws-s3:read-write:taskcluster-level-3-sccache-us-west-2/*-auth:gcp:access-token:sccache-3/sccache-l3*to:-role:-project:taskcluster:gecko:level-3-sccache-buckets-grant:# access to workers; all levels have access to the same workers, but at# different priorities and levels-queue:create-task:{priority}:bitbar/gecko-t-*-queue:create-task:{priority}:gecko-{level}/*-queue:create-task:{priority}:gecko-t/*-queue:create-task:{priority}:releng-hardware/gecko-{level}-*-queue:create-task:{priority}:releng-hardware/gecko-t-*# access to openh264 artifacts; necessary for symbol upload and signing when# building new openh264 binaries-queue:get-artifact:private/openh264/*to:-project:feature:gecko-rolestrust_domain:gecko-grant:# Let's not require a separate level 2 pool for hardware-queue:create-task:{priority}:releng-hardware/gecko-1-*to:-project:feature:gecko-rolestrust_domain:geckolevel:2-grant:-queue:get-artifact:private/openh264/*to:-groups:-team_moco-grant:# access to OSX testers-queue:create-task:{priority}:releng-hardware/gecko-t-osx-*to:-project:feature:gecko-rolestrust_domain:comm-grant:# gecko misc workers (used for index tasks)-queue:create-task:{priority}:gecko-t/miscto:-project:feature:gecko-rolestrust_domain:commalias:comm-esr68# moz-tree roles include the basic scopes available to version-control trees at# each of the three Mozilla source-code management levels. They are useful as# shorthand to configure `repo:*` roles. While most scopes are still contained# in these grants, prefer to add new grants as separate stanzas in this file,# and remove scopes from these grants.# moz-tree:level:1:*-grant:-docker-worker:capability:device:loopbackAudio-docker-worker:capability:device:loopbackVideo-docker-worker:capability:privileged-docker-worker:feature:allowPtrace-index:insert-task:garbage.*-notify:email:*-purge-cache:{trust_domain}-{level}/*-purge-cache:{trust_domain}-t/*-queue:get-artifact:project/gecko/*-queue:route:index.garbage.*-queue:route:notify.*-secrets:get:project/taskcluster/gecko/hgfingerprint-secrets:get:project/taskcluster/gecko/hgmointernalto:-projects:feature:gecko-roleslevel:[1,2,3]# moz-tree:level:1:gecko-grant:-generic-worker:allow-rdp:gecko-1/b-win*-generic-worker:allow-rdp:gecko-t/t-win*-generic-worker:os-group:gecko-t/t-win7-32/Administrators-generic-worker:os-group:gecko-t/t-win7-32-beta/Administrators-generic-worker:os-group:gecko-t/t-win10-64/Administrators-generic-worker:os-group:gecko-t/t-win10-64-alpha/Administrators-generic-worker:os-group:gecko-t/t-win10-64-beta/Administrators-generic-worker:run-as-administrator:gecko-t/t-win10-64-generic-worker:run-as-administrator:gecko-t/t-win10-64-alpha-generic-worker:run-as-administrator:gecko-t/t-win10-64-beta-project:releng:addons.mozilla.org:server:staging-project:releng:balrog:action:*-project:releng:balrog:channel:*-project:releng:balrog:server:dep-project:releng:beetmover:action:*-project:releng:beetmover:bucket:dep-project:releng:beetmover:bucket:dep-partner-project:releng:beetmover:bucket:maven-staging-project:releng:bouncer:action:*-project:releng:bouncer:server:staging-project:releng:bouncer:server:staging-nazgul-project:releng:flathub:firefox:mock-project:releng:ship-it:action:create-new-release-project:releng:ship-it:action:mark-as-shipped-project:releng:ship-it:action:mark-as-started-project:releng:ship-it:server:staging-project:releng:signing:cert:dep-signing-project:releng:signing:format:*-project:releng:snapcraft:firefox:mock-project:releng:treescript:action:*-project:releng:treescript:action:tagging-queue:create-task:medium:proj-autophone/*-queue:create-task:low:bitbar/gecko-t-*-queue:create-task:low:scriptworker-prov-v1/signing-mac-dev-queue:create-task:low:scriptworker-prov-v1/depsigning-mac-v1-queue:get-artifact:releng/partner/*to:-projects:feature:gecko-roleslevel:[1,2,3]trust_domain:gecko# moz-tree:level:1:comm-grant:-project:comm:thunderbird:releng:balrog:action:*-project:comm:thunderbird:releng:balrog:server:dep-project:comm:thunderbird:releng:beetmover:action:*-project:comm:thunderbird:releng:beetmover:bucket:dep-project:comm:thunderbird:releng:bouncer:action:*-project:comm:thunderbird:releng:bouncer:server:staging-project:comm:thunderbird:releng:bouncer:server:staging-nazgul-project:comm:thunderbird:releng:ship-it:action:mark-as-shipped-project:comm:thunderbird:releng:ship-it:action:mark-as-started-project:comm:thunderbird:releng:ship-it:server:staging-project:comm:thunderbird:releng:signing:cert:dep-signing-project:comm:thunderbird:releng:signing:format:*-project:comm:thunderbird:releng:treescript:action:push-project:comm:thunderbird:releng:treescript:action:tagging-project:comm:thunderbird:releng:treescript:action:version_bump-queue:create-task:low:scriptworker-prov-v1/tb-depsigning-mac-v1-secrets:get:project/comm/thunderbird/releng/build/level-1/*to:-projects:feature:gecko-roleslevel:[1,2,3]trust_domain:comm# moz-tree:level:2:*-grant:-docker-worker:capability:device:phone-secrets:get:project/taskcluster/gecko/build/level-2/*to:-projects:feature:gecko-roleslevel:[2,3]# moz-tree:level:3:*-grant:-auth:aws-s3:read-write:public-qemu-images/repository/hg.mozilla.org/mozilla-central/*-docker-worker:feature:balrogStageVPNProxy-docker-worker:feature:balrogVPNProxy-secrets:get:project/taskcluster/gecko/build/level-3/*-secrets:get:project/civet/github-deploy-key-queue:get-artifact:project/civet/*to:-projects:feature:gecko-roleslevel:[3]# moz-tree:level:3:gecko-grant:-auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/-project:releng:addons.mozilla.org:server:production-project:releng:signing:cert:nightly-signing-project:releng:signing:cert:release-signing-queue:create-task:highest:proj-autophone/*-queue:create-task:highest:scriptworker-prov-v1/depsigning-mac-v1-queue:create-task:highest:scriptworker-prov-v1/signing-mac-v1-queue:create-task:highest:scriptworker-prov-v1/mac-notarization-poller-queue:route:index.gecko.heavyprofile.*-queue:route:notify.email.release+tcstaging@mozilla.com.-queue:route:notify.email.release-automation-notifications@mozilla.com.*to:-projects:feature:gecko-roleslevel:[3]trust_domain:gecko# moz-tree:level:3:comm-grant:-queue:create-task:highest:scriptworker-prov-v1/tb-depsigning-mac-v1-queue:create-task:highest:scriptworker-prov-v1/tb-signing-mac-v1-queue:create-task:highest:scriptworker-prov-v1/tb-mac-notarization-poller-secrets:get:project/comm/thunderbird/releng/build/level-3/*to:-projects:feature:gecko-roleslevel:[3]trust_domain:comm# tooltool downloads-grant:-docker-worker:relengapi-proxy:tooltool.download.internal-docker-worker:relengapi-proxy:tooltool.download.public-project:releng:services/tooltool/api/download/internal-project:releng:services/tooltool/api/download/public# This cache contains cached downloads from tooltool. Since tooltool is# content-addressible, and verifies hashes on files in the cache, there is no# risk of cache poisoning or collisions.-docker-worker:cache:tooltool-cacheto:-projects:feature:gecko-roleslevel:[1,2,3]-grant:# Allow the backfill action to trigger the per-push action that schedules the backfilled tasks.-hooks:trigger-hook:project-{trust_domain}/in-tree-action-{level}-backfill/*to:-projects:job:["action:backfill"]feature:[gecko-roles,gecko-actions]level:[1,2,3]### project-specific scopes (for esr's to hang onto their old scopes)-grant:-project:releng:balrog:server:beta-project:releng:balrog:server:esr-project:releng:balrog:server:release-project:releng:beetmover:bucket:maven-production-project:releng:beetmover:bucket:partner-project:releng:beetmover:bucket:release-project:releng:bouncer:server:production-project:releng:bouncer:server:production-nazgul-project:releng:ship-it:server:production-project:releng:snapcraft:firefox:beta-project:releng:snapcraft:firefox:candidate-project:releng:snapcraft:firefox:esrto:-projects:job:["action:release-promotion"]trust_domain:geckolevel:[3]alias:[mozilla-esr68,mozilla-esr78,mozilla-release,mozilla-beta]# pushing RCs to beta-grant:-project:releng:flathub:firefox:stable-project:releng:flathub:firefox:betato:-projects:job:["action:release-promotion"]trust_domain:geckolevel:[3]alias:[mozilla-release]-grant:-project:releng:flathub:firefox:betato:-projects:job:["action:release-promotion"]trust_domain:geckolevel:[3]alias:[mozilla-beta]-grant:-project:releng:ship-it:server:productionto:-project:job:["cron:daily-releases"]trust_domain:geckolevel:[3]alias:[mozilla-esr68,mozilla-beta]-grant:# Allow the scriptworker-canary cron hook to trigger the corresponding action.-hooks:trigger-hook:project-{trust_domain}/in-tree-action-{level}-scriptworker-canary/*to:-project:job:['cron:scriptworker-canary']trust_domain:geckolevel:[3]alias:[mozilla-central]-grant:# Allow the scriptworker-canary action to access the trybld-scriptworker key.-secrets:get:project/releng/scriptworker/scriptworker-canary-sshkeyto:-project:job:['action:scriptworker-canary']trust_domain:geckolevel:[3]alias:[mozilla-central]-grant:-project:comm:thunderbird:releng:balrog:server:releaseto:-project:job:["action:release-promotion"]trust_domain:commlevel:[3]alias:[comm-esr68,comm-esr78]-grant:-project:comm:thunderbird:releng:balrog:server:betato:-project:job:["action:release-promotion"]trust_domain:commlevel:[3]alias:comm-beta-grant:-project:comm:thunderbird:releng:signing:cert:nightly-signingto:-project:alias:comm-central-grant:-project:comm:thunderbird:releng:signing:cert:release-signingto:-project:level:[3]alias:[comm-esr68,comm-esr78,comm-beta]-grant:-project:comm:thunderbird:releng:beetmover:bucket:release-project:comm:thunderbird:releng:bouncer:server:production-project:comm:thunderbird:releng:bouncer:server:production-nazgul-project:comm:thunderbird:releng:ship-it:server:productionto:-project:job:["action:release-promotion"]trust_domain:commlevel:[3]alias:[comm-esr68,comm-esr78,comm-beta]-grant:-project:releng:beetmover:bucket:nightly-project:releng:balrog:server:nightlyto:-project:alias:oak-grant:# Bug 1527818: Coverity configuration is stored in this secret-secrets:get:project/relman/coverity# Bug 1527818: Coverity license is stored in this secret# It should not be widely available-secrets:get:project/relman/coverity-license# Bug 1523321: Token for mirroring webrender to github-secrets:get:project/webrender-ci/wrupdater-github-token# Bug 1604686: Token for gfx github sync.-secrets:get:gecko/gfx-github-sync/tokento:-project:alias:mozilla-central-grant:# Bug 1599870-secrets:get:project/civet/github-deploy-key-queue:get-artifact:project/civet/*to:-project:alias:-try-grant:# Bug 1618285 (Updatebot)-secrets:get:project/updatebot/2/try-sshkey-secrets:get:project/updatebot/2/phabricator-token-secrets:get:project/updatebot/2/bugzilla-api-key-secrets:get:project/updatebot/2/database-password-secrets:get:project/updatebot/2/sentry-url-secrets:get:project/updatebot/2/sql-proxy-config-queue:get-artifact:project/updatebot/*-hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*to:-project:alias:-hollylevel:2-grant:# Bug 1618285 (Updatebot)# Only grant the retrigger permission to -central/holly-hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*to:-project:alias:-mozilla-central-holly# This ensures that these are not granted to a level 1 repolevel:2-grant:# Bug 1618285 (Updatebot)-secrets:get:project/updatebot/3/try-sshkey-secrets:get:project/updatebot/3/phabricator-token-secrets:get:project/updatebot/3/bugzilla-api-key-secrets:get:project/updatebot/3/database-password-secrets:get:project/updatebot/3/sentry-url-secrets:get:project/updatebot/3/sql-proxy-config-queue:get-artifact:project/updatebot/*to:-project:alias:-mozilla-centrallevel:3-grant:# Bug 1530376: Add scopes for Code Review bot in CI-queue:route:project.relman.codereview.*# Bug 1541147: Coverity configuration is stored in this secret-secrets:get:project/relman/coverityto:-project:alias:try-grant:# Bug 1616786 : Allow ci projects to trigger code review bot-queue:route:project.relman.codereview.*to:-project:alias:taskgraph-try-project:alias:ci-configuration-try-project:alias:ci-admin-try### Non-gecko tree projects-grant:-docker-worker:feature:allowPtrace-queue:create-task:{priority}:localprovisioner/nss-aarch64-queue:create-task:{priority}:localprovisioner/nss-macos-10-12-queue:create-task:{priority}:localprovisioner/nss-rpi-queue:route:index.docker.images.v1.nss.*-project:releng:services/tooltool/api/download/internal-project:releng:services/tooltool/api/download/publicto:-project:alias:nss-grant:-docker-worker:feature:allowPtrace-queue:create-task:{priority}:localprovisioner/nss-aarch64-queue:create-task:{priority}:localprovisioner/nss-macos-10-12-queue:route:index.docker.images.v1.nss-try.*-queue:route:project.relman.codereview.*-secrets:get:project/relman/coverity-nss-project:releng:services/tooltool/api/download/internal-project:releng:services/tooltool/api/download/publicto:-project:alias:nss-try-grant:# These are public-secrets:get:project/taskcluster/gecko/hgfingerprint-secrets:get:project/taskcluster/gecko/hgmointernal# Allow a sensible scheduler-id-queue:scheduler-id:{trust_domain}-level-{level}# Allows cancelling tasks with that scheduler-id-queue:cancel-task:{trust_domain}-level-{level}/*# Allow reruning tasks with that scheduler-id-queue:rerun-task:{trust_domain}-level-{level}/*# Allow creating tasks on workers associated to the trust-domain-queue:create-task:{priority}:{trust_domain}-{level}/*-queue:create-task:{priority}:{trust_domain}-t/*-queue:create-task:{priority}:built-in/*# routes to support locating tasks that create specific versions of artifacts# (toolchains, etc.)-queue:route:index.{trust_domain}.cache.level-{level}.*-index:insert-task:{trust_domain}.cache.level-{level}.*# allow fetching secrets appropriate to this level-secrets:get:project/releng/{trust_domain}/build/level-{level}/*# allow using worker caches appropriate to this trust domain and level-docker-worker:cache:{trust_domain}-level-{level}-*-generic-worker:cache:{trust_domain}-level-{level}-*to:-project:feature:trust-domain-scopes-grant:# routes to support indexing by product-queue:route:index.{trust_domain}.v2.{alias}.*-index:insert-task:{trust_domain}.v2.{alias}.*to:-project:include_pull_requests:falsefeature:trust-domain-scopes-grant:# routes to support indexing by product-queue:route:index.{trust_domain}.v2.{alias}-pr.*-index:insert-task:{trust_domain}.v2.{alias}-pr.*to:-project:job:['pull-request']feature:trust-domain-scopes-grant:# routes to support reporting to treeherder-queue:route:tc-treeherder-stage.{alias}.*-queue:route:tc-treeherder.{alias}.*-queue:route:tc-treeherder-stage.v2.{alias}.*-queue:route:tc-treeherder.v2.{alias}.*to:-project:feature:treeherder-reporting-grant:# routes to support reporting to treeherder-queue:route:tc-treeherder-stage.v2.{alias}-pr.*-queue:route:tc-treeherder.v2.{alias}-pr.*to:-project:job:['pull-request']feature:treeherder-reporting-grant:-queue:create-task:{priority}:hg-t/*-queue:route:notify.irc-channel.*-queue:route:tc-treeherder.v2.version-control-tools.*to:-project:alias:version-control-tools-grant:-queue:create-task:low:aws-provisioner-v1/gecko-{level}-decision-queue:create-task:low:aws-provisioner-v1/gecko-misc-queue:create-task:low:aws-provisioner-v1/gecko-{level}-imagesto:-project:trust_domain:[taskgraph,ci]### feature-specific roles-grant:-queue:route:index.{trust_domain}.v2.trunk.revision.*to:-project:feature:is-trunk### mozilla roles### FIXME: Bug 1632147 - app-services and glean should be merged under the same# `trust_domain` so that scopes are bulked together like in the mobile world## - glean specific roles-grant:-queue:create-task:highest:glean-{level}/*-queue:route:index.project.glean.cache.level-{level}.*-project:releng:services/tooltool/api/download/internal-project:mozilla:{trust_project}:releng:signing:cert:dep-signing-project:mozilla:{trust_project}:releng:signing:format:*-project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven-project:mozilla:{trust_project}:releng:beetmover:bucket:maven-stagingto:-project:alias:glean-grant:-project:mozilla:{trust_project}:releng:signing:cert:release-signing-project:mozilla:{trust_project}:releng:beetmover:bucket:maven-production-queue:route:notify.email.*to:-project:alias:gleanlevel:3job:["release"]-grant:# TODO Bug 1631839: Remove thisu scope once project has migrated to# `index.glean.v2.*`.-queue:route:index.project.glean.v2.branch.*to:-project:alias:gleanjob:["branch:*","release"]# - application-services specific roles-grant:-docker-worker:taskcluster-proxy:tooltool.download.internal# This docker worker cache is still used by the old decision task-docker-worker:cache:application-services-*-project:releng:services/tooltool/api/download/internal-queue:route:index.project.application-services.*-queue:create-task:highest:app-services-{level}/*-queue:route:notify.email.*-project:mozilla:{trust_project}:releng:signing:cert:dep-signing-project:mozilla:{trust_project}:releng:signing:format:*-project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven-project:mozilla:{trust_project}:releng:beetmover:bucket:maven-stagingto:-project:alias:application-services-grant:-project:mozilla:{trust_project}:releng:signing:cert:release-signing-secrets:get:project/application-services/gradle-plugin-publish-secrets:get:project/application-services/publish# TODO Bug 1597329 - Remove these 4 scopes once the naming scheme is applied to the workers# Scopes are kind of duplicated because of this project doesn't use "assume:" scopes on the# decision task, yet.-queue:create-task:highest:scriptworker-k8s/appservices-3-signing-queue:create-task:highest:scriptworker-k8s/appservices-3-beetmover# TODO In bug 1632147 we will reorganize scriptworker scopes to re-use the# `beetmover-maven-phase` once we have a new `trust_project` for this and# `glean` project-project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven-project:mozilla:{trust_project}:releng:beetmover:bucket:maven-productionto:-project:alias:application-serviceslevel:3job:["release"]-grant:-secrets:get:project/application-services/symbols-tokento:-project:alias:application-serviceslevel:3job:["release","branch:*"]# - scriptworker specific roles-grant:-secrets:get:repo:github.com/mozilla-releng/scriptworker:coveralls-secrets:get:repo:github.com/mozilla-releng/scriptworker:githubto:-project:alias:scriptworkerjob:["pull-request","branch:master"]# - balrog specific roles-grant:-secrets:get:repo:github.com/mozilla-releng/balrog:coverallsto:-project:alias:balrogjob:["pull-request","branch:master","branch:main"]-grant:-queue:route:index.project.balrog.*-queue:route:notify.*-secrets:get:repo:github.com/mozilla-releng/balrog:dockerhubto:-project:alias:balrogjob:["branch:master","branch:main"]-grant:-queue:route:index.project.balrog.*-secrets:get:repo:github.com/mozilla-releng/balrog:dockerhub# S3 creds are for deploying the UI-secrets:get:repo:github.com/mozilla-releng/balrog:s3-prod-app-config-secrets:get:repo:github.com/mozilla-releng/balrog:s3-prod-aws-creds-secrets:get:repo:github.com/mozilla-releng/balrog:s3-stage-app-config-secrets:get:repo:github.com/mozilla-releng/balrog:s3-stage-aws-credsto:-project:alias:balrogjob:["release"]### mozilla-releng roles## Grant these for all releng repos on github-grant:-notify:email:*-notify:irc-channel:*-notify:irc-user:*-queue:route:garbage.*-queue:route:index.garbage.*-queue:route:notify.email.*-queue:route:notify.irc-channel.*-queue:route:notify.irc-user.*-queue:scheduler-id:taskcluster-github-queue:create-task:{priority}:{trust_domain}-{level}/*-queue:create-task:{priority}:{trust_domain}-t/*to:-project:trust_domain:releng# - build-puppet has no custom roles.# - k8s-autoscale roles-grant:-secrets:get:project/releng/k8s-autoscale/deployto:-project:alias:k8s-autoscalejob:["branch:master","branch:production"]# - occ specific roles-grant:-queue:route:index.project.releng.opencloudconfig.v1.revision.*to:-project:alias:occjob:["branch:*","pull-request"]-grant:-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:updatetooltoolrepo-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:updateworkertypeto:-project:alias:occjob:["branch:alpha","branch:beta","branch:master"]-grant:-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-gecko-1-b-win2012-alpha-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-alpha-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-alpha-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-alpha-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-a-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-alpha-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-a-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-alpha-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-alpha-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-alpha-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-a-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-alpha-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-ato:-project:alias:occjob:["branch:alpha"]-grant:-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-gecko-1-b-win2012-beta-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-beta-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-beta-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-beta-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-b-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-beta-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-b-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-beta-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-beta-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-beta-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-b-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-beta-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-bto:-project:alias:occjob:["branch:beta"]-grant:-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-2-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-3-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mpd-1-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mpd-3-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mpd001-1-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mpd001-3-b-win*-secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:relops*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-2-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-3-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mpd-1-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mpd-3-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mpd001-1-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mpd001-3-b-win*-secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:relops*to:-project:alias:occjob:["branch:master"]# - cloud-image-builder specific roles-grant:-queue:route:index.project.relops.cloud-image-builder.*-generic-worker:os-group:relops-3/*-generic-worker:run-as-administrator:relops-3/*-queue:create-task:{priority}:relops-3/*-secrets:get:project/relops/image-builder/dev# Allow creating tasks on test workers-generic-worker:os-group:relops-test-workers/*-generic-worker:run-as-administrator:relops-test-workers/*-queue:create-task:{priority}:relops-test-workers/*-queue:scheduler-id:taskcluster-github-worker-manager:manage-worker-pool:relops-test-workers/*-worker-manager:provider:aws-worker-manager:provider:azureto:-project:alias:cloud-image-builderjob:["branch:master"]environment:staging# - mapper specific roles-grant:-secrets:get:project/releng/mapper/cito:-projects:alias:mapperjob:["branch:*","pull-request"]-grant:-secrets:get:project/releng/mapper/deployto:-projects:alias:mapperjob:["branch:dev","branch:staging","branch:production"]# - product-details specific roles-grant:-secrets:get:repo:github.com/mozilla-releng/product-details:branch:productionto:-projects:alias:product-detailsjob:["branch:production"]-grant:-secrets:get:repo:github.com/mozilla-releng/product-details:branch:stagingto:-projects:alias:product-detailsjob:["branch:staging"]-grant:-secrets:get:repo:github.com/mozilla-releng/product-details:branch:testingto:-projects:alias:product-detailsjob:["branch:testing"]# - shipit specific roles-grant:-secrets:get:project/releng/shipit/deployto:-projects:alias:shipitjob:["branch:production","branch:dev"]# - tooltool specific roles-grant:-secrets:get:project/releng/tooltool/cito:-projects:alias:tooltooljob:["branch:*","pull-request"]-grant:-secrets:get:project/releng/tooltool/deployto:-projects:alias:tooltooljob:["branch:dev","branch:staging","branch:production"]# - treestatus specific roles-grant:-secrets:get:project/releng/treestatus/cito:-projects:alias:treestatusjob:["branch:*","pull-request"]-grant:-secrets:get:project/releng/treestatus/deployto:-projects:alias:treestatusjob:["branch:dev","branch:staging","branch:production"]### mobile-specific roles## We refer to level 1 as the staging/development workflow for a given project# (e.g. pull/requests and staging-triggered releases) while level 3 defines the# production releases (Github-based releases or triggered via hooks)## mobile:level:X:*-grant:-queue:create-task:highest:mobile-{level}/*-queue:create-task:highest:mobile-t/*-queue:create-task:{priority}:built-in/*-queue:get-artifact:mobile/android-sdk/*-queue:route:index.mobile.v2.{trust_project}.cache.level-{level}.*-queue:scheduler-id:{trust_domain}-level-{level}-project:mobile:{trust_project}:releng:signing:cert:dep-signing-project:mobile:{trust_project}:releng:signing:format:*to:-project:feature:mobile-roles-grant:# These tokens are considered public because they're available to Pull Requests. We need them# there because we want coverage reports.-secrets:get:project/mobile/{trust_project}/public-tokensto:-project:feature:mobile-public-code-coverage-grant:-project:{trust_domain}:{alias}:releng:beetmover:action:push-to-mavento:-project:feature:beetmover-maven-phasejob:["release","pull-request"]-project:feature:beetmover-maven-nightly-phasejob:["cron:nightly"]-grant:-project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-productionto:-project:feature:beetmover-maven-phaselevel:3job:["release"]-grant:-project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-staging-project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-nightly-stagingto:-project:feature:beetmover-maven-phasejob:["pull-request"]-grant:-project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-nightly-productionto:-project:feature:beetmover-maven-nightly-phaselevel:3job:["cron:nightly"]-grant:-project:{trust_domain}:{trust_project}:releng:github:action:releaseto:-project:feature:github-publicationjob:["action:release-promotion","release","pull-request"]-grant:-project:{trust_domain}:{trust_project}:releng:github:project:{trust_project}to:-project:feature:github-publicationlevel:3job:["action:release-promotion","release"]-grant:-project:{trust_domain}:{trust_project}:releng:github:project:mockto:-project:feature:github-publicationlevel:1job:["release"]-project:feature:github-publicationjob:["pull-request"]-grant:-project:mobile:{trust_project}:releng:signing:cert:release-signingto:-project:feature:mobile-sign-phaselevel:3job:["release","cron:nightly","action:release-promotion"]-project:alias:fenixjob:["cron:nightly-on-google-play"]-grant:-queue:route:index.mobile.v2.{trust_project}.nightly.*to:-project:feature:mobile-sign-phaselevel:3job:["cron:nightly"]-project:alias:fenixjob:["cron:nightly-on-google-play"]-grant:-project:mobile:{trust_project}:releng:signing:cert:release-signingto:-project:alias:android-componentsjob:["release","cron:nightly"]-grant:-queue:route:index.mobile.v2.{trust_project}.release.*to:-project:alias:android-componentsjob:["release"]-grant:-queue:route:index.mobile.v2.{trust_project}.nightly.*to:-project:alias:android-componentsjob:["cron:nightly"]-grant:-project:mobile:{trust_project}:releng:googleplay:product:{trust_project}to:-project:feature:mobile-pushapk-phaselevel:3job:["release","cron:nightly","action:release-promotion"]-project:alias:fenixjob:["cron:nightly-on-google-play"]-grant:-project:mobile:{trust_project}:releng:googleplay:product:{trust_project}:depto:-project:feature:mobile-pushapk-phasejob:["pull-request"]-project:feature:mobile-pushapk-phaselevel:1job:["release","cron:*","action:release-promotion"]-grant:-secrets:get:project/mobile/{trust_project}/firebaseto:-project:feature:mobile-firebase-testingjob:["action:*","branch:*"]-project:# Fenix PRs are restricted to collaborators, so exposing firebase is safe-enough for PRs.# Fenix also has some Firebase tests on nightly.alias:fenixjob:["cron:nightly","cron:nightly-on-google-play","cron:screenshots","pull-request"]-grant:-secrets:get:project/mobile/githubto:-project:feature:mobile-bump-githublevel:3job:["cron:bump-*"]-grant:-project:mobile:{trust_project}:releng:signing:cert:dep-signing-queue:create-task:highest:proj-autophone/gecko-t-ap-perf-g5-queue:create-task:highest:proj-autophone/gecko-t-ap-perf-p2-queue:create-task:highest:proj-autophone/gecko-t-bitbar-gw-perf-g5-queue:create-task:highest:proj-autophone/gecko-t-bitbar-gw-perf-p2to:-project:feature:autophonejob:["pull-request"]-project:alias:fenixjob:["cron:nightly"]-project:alias:reference-browserjob:["branch:*"]-grant:-queue:route:index.{trust_domain}.v2.{trust_project}.performance-test.*to:-project:alias:fenixjob:["cron:nightly"]-project:alias:reference-browserjob:["branch:master"]-grant:-queue:route:notify.email.perftest-alerts@mozilla.com.on-failedto:-project:alias:fenixjob:["cron:nightly"]-project:alias:reference-browserjob:["branch:master"]-grant:-queue:route:notify.email.android-components-team@mozilla.com.on-failed-queue:route:notify.email.geckoview-core@mozilla.com.on-failedto:-project:alias:android-components# Used in order to warn the AC team whenever a GV update cannot be mergedjob:["pull-request"]-grant:-project:releng:ship-it:action:mark-as-shippedto:-project:feature:shipitjob:["release","pull-request"]-project:feature:["shipit","taskgraph-actions"]job:["action:release-promotion"]-grant:-project:releng:ship-it:server:productionto:-project:# TODO: in the glorious future when Fenix will solely be released via# Ship-it we can remove the individual Github release section. But until# then we need to support both for a smooth transitionlevel:3feature:shipitjob:["release"]-project:level:3feature:["shipit","taskgraph-actions"]job:["action:release-promotion"]-grant:-project:releng:ship-it:server:stagingto:-project:# TODO: once pull-request-based staging releases are more stable and# available for all mobile projects, we can get rid of this `level=1`# section which addresses the RelEngers forkslevel:1feature:shipitjob:["release"]-project:level:1feature:["shipit","taskgraph-actions"]job:["action:release-promotion"]-project:level:3feature:["shipit","taskgraph-actions"]job:["pull-request"]# fenix specific scopes-grant:-queue:route:index.project.fenix.android.preview-builds-github:create-comment:mozilla-mobile/fenixto:-project:alias:fenixjob:["pull-request"]-grant:-secrets:get:project/mobile/fenix/public-tokensto:-project:alias:fenixjob:["branch:*","pull-request"]-grant:-secrets:get:project/mobile/fenix/nightly-simulationto:-project:alias:fenixjob:["branch:*"]-grant:# XXX `fennec-production-signing` handles beta signing too.-project:mobile:fenix:releng:signing:cert:fennec-production-signing-secrets:get:project/mobile/fenix/beta-secrets:get:project/mobile/fenix/releaseto:-project:alias:fenixjob:["action:release-promotion","release"]-grant:# TODO Change the following scope once `production` is entirely renamed to `nightly`-project:mobile:fenix:releng:signing:cert:production-signing-secrets:get:project/mobile/fenix/nightly-queue:route:notify.email.fenix-eng-notifications@mozilla.com.on-failedto:-project:alias:fenixjob:["action:generic","cron:nightly","cron:nightly-on-google-play"]# TODO Bug 1601928: Stop using the garbage namespace once the {alias}/{project} story is defined-grant:-queue:route:index.garbage.mobile.v2.fenix.branch.<..>.*to:-project:alias:fenix-jlorenzojob:["branch:*"]-grant:-queue:route:checks-queue:scheduler-id:{trust_domain}-level-{level}# allow using worker caches appropriate to this trust domain and level-docker-worker:cache:{trust_domain}-level-{level}-*-generic-worker:cache:{trust_domain}-level-{level}-*to:-project:feature:github-taskgraph-grant:-queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*to:-project:feature:scriptworker# reference-browser specific scopes-grant:-secrets:get:project/mobile/reference-browser/nightlyto:-projects:alias:-reference-browserjob:["branch:*","cron:nightly"]-grant:-secrets:get:project/mobile/reference-browser/nimbledroid-secrets:get:project/mobile/reference-browser/sentry-queue:route:notify.email.android-components-team@mozilla.com.on-failedto:-project:alias:reference-browserjob:["cron:nightly"]# focus (android) scopes-grant:# It hasn't been migrated to taskgraph-queue:scheduler-id:taskcluster-github-queue:route:statusesto:-project:alias:focus-androidjob:["branch:*","cron:*","pull-request","release"]-grant:-queue:route:notify.irc-channel.#android-ci.on-any-secrets:get:project/focus/firebase-secrets:get:project/focus/nimbledroidto:-project:alias:focus-androidjob:["branch:*"]-grant:-secrets:get:project/focus/tokensto:-project:alias:focus-androidjob:["release","cron:nightly"]-grant:# XXX Focus is deprecated and won't be migrated to `index.mobile.v2`-queue:route:index.project.mobile.focus.release.latestto:-project:alias:focus-androidjob:["release"]-grant:# XXX Focus is deprecated and won't be migrated to `index.mobile.v2`-queue:route:index.project.mobile.focus.nightly.latest-queue:route:notify.email.firefox-focus@mozilla.com.on-failedto:-project:alias:focus-androidjob:["cron:nightly"]# firefox-tv specific scopes-grant:-secrets:get:project/mobile/firefox-tv/tokensto:-project:alias:firefox-tvjob:["branch:*","pull-request","release"]-grant:-queue:route:notify.email.firefox-tv@mozilla.com.on-completed-project:mobile:firefox-tv:releng:signing:cert:production-signingto:-project:alias:firefox-tvjob:["release"]-grant:-secrets:get:project/mobile/firefox-ios/bitriseto:-project:alias:firefox-iosjob:["cron:l10-screenshots","action:*"]# L10n repositories-grant:-queue:create-task:highest:l10n-{level}/*-queue:create-task:{priority}:built-in/*-queue:route:index.{trust_domain}.{alias}.cache.level-{level}.*-queue:route:notify.email.*to:-project:alias:-android-l10n-toolingjob:["pull-request","branch:*","cron:*"]-grant:-secrets:get:l10n/level-{level}/*to:-project:alias:-android-l10n-toolingjob:["branch:*","cron:*"]# Automation for l10n.mozilla.org-grant:-queue:create-task:highest:l10n-{level}/*-queue:create-task:{priority}:built-in/*-queue:route:index.{trust_domain}.{alias}.cache.level-{level}.*-queue:scheduler-id:{trust_domain}-level-{level}-docker-worker:cache:{trust_domain}-level-{level}-*-generic-worker:cache:{trust_domain}-level-{level}-*-queue:route:notify.email.*-queue:route:checksto:-project:alias:-elmo-taskclusterjob:["pull-request","branch:*","cron:*"]-grant:-secrets:get:l10n/level-{level}/*to:-project:alias:-elmo-taskclusterjob:["branch:*","cron:*"]# MPD001-grant:-queue:create-task:{priority}:built-in/*-queue:create-task:{priority}:mpd001-{level}/*-queue:route:index.{trust_domain}.cache.level-{level}.*-queue:scheduler-id:{trust_domain}-level-{level}-docker-worker:cache:{trust_domain}-level-{level}-*-generic-worker:cache:{trust_domain}-level-{level}-*-queue:route:notify.email.*-queue:route:checks-queue:get-artifact:project/mpd001/*# Create level-1 scopes explicitly-queue:create-task:{priority}:mpd001-1/*-queue:route:index.{trust_domain}.cache.level-1.*-queue:scheduler-id:{trust_domain}-level-1-docker-worker:cache:{trust_domain}-level-1-*-generic-worker:cache:{trust_domain}-level-1-*to:-project:alias:-mpd001job:["pull-request","branch:*","cron:*"]-grant:-queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-project:mpd001:releng:signing:cert:dep-signingto:-project:alias:-mpd001# Only enable this for master and pull-requests, so that in-repo branches# don't get access to scriptworkers.job:-"branch:master"-"branch:releng"-"pull-request"-"branch:release"-grant:-project:mpd001:releng:signing:cert:release-signingto:-project:alias:-mpd001# Only enable this for master and release branches, so that in-repo branches# don't get access to release signing.job:-"branch:releng"-"branch:master"-"branch:release"# XPI-grant:-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-project:xpi:releng:signing:cert:dep-signing-project:xpi:releng:signing:cert:release-signing-project:xpi:releng:ship-it:server:staging-project:xpi:releng:ship-it:server:production-project:xpi:releng:ship-it:action:mark-as-shipped-queue:create-task:highest:xpi-{level}/*-queue:create-task:highest:xpi-t/*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-queue:route:index.{trust_domain}.v2.xpi-manifest.*-queue:route:index.xpi.cache.level-{level}.*to:-project:alias:-xpi-manifest-test-xpi-manifest# Only enable this for master and actions.job:["branch:master","action:*"]-grant:# access to workers; all levels have access to the same workers, but at# different priorities and levels-queue:route:index.xpi.xpi-manifest.cache.level-1.*-queue:route:index.xpi.v2.*-queue:route:index.xpi.cache.level-1.*-queue:route:checks-queue:scheduler-id:taskcluster-github-queue:route:notify.email.*-queue:create-task:low:built-in/*-queue:create-task:low:xpi-1/*-queue:create-task:low:xpi-t/*-queue:get-artifact:xpi/*-queue:scheduler-id:xpi-level-1-docker-worker:cache:xpi-level-1-*-secrets:get:project/xpi/xpi-github-clone-ssh-project:xpi:releng:signing:cert:dep-signing-queue:create-task:low:scriptworker-k8s/xpi-t-*to:-project:feature:xpi-rolesjob:["pull-request","branch:*","cron:*","action:*"]-roles:# The mozilla-extensions github organization is designed to allow for# easily creating new repos for xpi source. Let's automatically# give them level 1 scopes for master, PRs, and other branches.-repo:github.com/mozilla-extensions/*-grant:-queue:get-artifact:xpi/*to:-groups:-team_moco-team_mozillaonline-grant:-in-tree:hook-action:project-{trust_domain}/in-tree-action-{level}-*to:-project:feature:taskgraph-actions# Adhoc signing-grant:-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*-project:adhoc:releng:signing:cert:dep-signing-project:adhoc:releng:ship-it:server:staging-project:adhoc:releng:ship-it:action:mark-as-shipped-queue:create-task:highest:adhoc-{level}/*-queue:create-task:highest:adhoc-t/*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-queue:route:index.{trust_domain}.v2.{alias}.*-queue:route:index.{trust_domain}.v2.staging-adhoc-manifest.*-queue:route:index.adhoc-signing.cache.level-{level}.*-queue:get-artifact:releng/adhoc/*-queue:route:notify.email.*to:-project:feature:adhoc-rolesjob:["branch:*","action:*","pull-request","action:*","cron:*"]-grant:-project:adhoc:releng:signing:cert:release-signing-project:adhoc:releng:ship-it:server:production-queue:route:index.{trust_domain}.v2.adhoc-manifest.*to:-project:alias:-adhoc-signing# Only enable this for master and actions.job:["branch:master","action:*"]# Scriptworker and scriptworker-scripts-grant:-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-queue:create-task:highest:scriptworker-{level}/*-queue:create-task:highest:scriptworker-t/*-queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*-queue:route:index.{trust_domain}.v2.{alias}.*-queue:route:index.scriptworker.cache.level-{level}.*# explicitly grant level 1 scopes for PRs-queue:scheduler-id:scriptworker-level-1-queue:create-task:highest:scriptworker-1/*-queue:route:index.scriptworker.cache.level-1.*to:-project:alias:-scriptworker-scriptsjob:["branch:*","action:*","pull-request","action:*","cron:*"]# - scriptworker-scripts specific roles# XXX delete these once we port scriptworker-scripts cloudops deploys to CoT# downloads-grant:-secrets:get:project/releng/scriptworker-scripts/deployto:-projects:alias:scriptworker-scriptsjob:["branch:production*","branch:dev*"]### delegate cron:nightly-* to hand-managed nightly roles#-grant:-project:releng:balrog:channel:nightly-project:releng:balrog:server:nightly-project:releng:beetmover:bucket:dep-project:releng:beetmover:bucket:nightly-project:releng:beetmover:bucket:maven-production-project:releng:bouncer:server:production-project:releng:bouncer:server:production-nazgul-project:releng:signing:cert:nightly-signingto:-project:feature:gecko-cronalias:mozilla-centraltrust_domain:geckojob:cron:nightly-*-grant:-project:releng:beetmover:bucket:nightly-project:releng:signing:cert:nightly-signingto:-project:feature:gecko-cronalias:mozilla-esr68trust_domain:geckojob:cron:nightly-*-grant:-assume:project:comm:thunderbird:comm:releng:nightly:level-{level}:{alias}-project:comm:thunderbird:releng:balrog:server:nightly-project:comm:thunderbird:releng:beetmover:bucket:nightly-project:comm:thunderbird:releng:signing:cert:nightly-signingto:-project:alias:comm-centralfeature:gecko-crontrust_domain:commjob:cron:nightly-*-grant:-project:releng:beetmover:bucket:maven-productionto:-project:alias:-mozilla-central-mozilla-beta-mozilla-releasejob:cron:ship-geckoview-project:# We still support RELBRANCHes on mozilla-release. Geckoview gets automatically shipped on# GECKOVIEW_\d+_RELBRANCH (\d+ being the major version)alias:mozilla-release# /!\ Relbranches currently use `branch:default`job:branch:*### Administrative Scopes-grant:# Allow sheriffs to quarantine gecko related workers-queue:quarantine-worker:bitbar/gecko-*-queue:quarantine-worker:gecko-1/*-queue:quarantine-worker:gecko-3/*-queue:quarantine-worker:gecko-t/*-queue:quarantine-worker:proj-autophone/gecko-*-queue:quarantine-worker:releng-hardware/gecko-*-queue:quarantine-worker:mobile-*# Allow sheriffs to terminate gecko/mobile related workers-worker-manager:remove-worker:gecko-*-worker-manager:remove-worker:mobile-*# Allow sheriffs to rerun and cancel gecko tasks# Allows cancelling tasks with that scheduler-id-queue:cancel-task:gecko-level-*-queue:rerun-task:gecko-level-*# Allow managing treestatus-project:releng:services/treestatus/*# Allow triggering nightlies-hooks:trigger-hook:project-releng/cron-task-mozilla-central/nightly-*# Allow sheriffs to force schedule a decision task, whenever one has gone missing because of a# bustage-hooks:trigger-hook:hg-push/*to:-groups:-sheriff-grant:# Allow triggering nightlies and geckoview-hooks:trigger-hook:project-releng/cron-task-mozilla-central/ship-geckoview-hooks:trigger-hook:project-releng/cron-task-releases-mozilla-beta/ship-geckoview-hooks:trigger-hook:project-releng/cron-task-releases-mozilla-release/ship-geckoview-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/nightly-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/nightly-on-google-play# Allow to manage mobile trees-queue:cancel-task:mobile-level-*-queue:rerun-task:mobile-level-*-hooks:trigger-hook:project-mobile/in-tree-action-1-generic/*-hooks:trigger-hook:project-mobile/in-tree-action-3-generic/*-hooks:trigger-hook:project-mobile/in-tree-action-1-cancel-all/*-hooks:trigger-hook:project-mobile/in-tree-action-3-cancel-all/*to:-groups:-sheriff-mobile_releases-grant:-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-beta-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-nightly-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-release-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/bump-android-componentsto:-groups:-mobile_releases-grant:# Allow people with level-3 access to access interactive tasks-queue:get-artifact:private/interactive/*-queue:get-artifact:private/docker-worker/*to:-groups:-active_scm_level_3-grant:# Allow triggering thunderbird nightlies-hooks:trigger-hook:project-releng/cron-task-comm-central/nightly-*# Allow managing treestatus (This should be limited to comm- trees, see Bug 1613551)-project:releng:services/treestatus/*to:-groups:-thunderbird-sheriff-thunderbird-releng-grant:# Additional permissions for thunderbird-releng on comm level 3 tasks# Merge Day Automation-hooks:trigger-hook:project-comm/in-tree-action-1-merge-automation/*-hooks:trigger-hook:project-comm/in-tree-action-2-merge-automation/*-hooks:trigger-hook:project-comm/in-tree-action-3-merge-automation/*# Allow cancel-queue:cancel-task:comm-level-3/*# Allow rerun-queue:rerun-task:comm-level-3/*to:-groups:-thunderbird-releng-grant:# permission to run Taskcluster's smoketests.-auth:create-client:project/taskcluster/smoketest/*-auth:create-role:project:taskcluster:smoketest:*-auth:delete-client:project/taskcluster/smoketest/*-auth:delete-role:project:taskcluster:smoketest:*-auth:reset-access-token:project/taskcluster/smoketest/*-auth:update-client:project/taskcluster/smoketest/*-auth:update-role:project:taskcluster:smoketest:*-project:taskcluster:smoketest:*-purge-cache:built-in/succeed:smoketest-cache-queue:create-task:highest:built-in/*-queue:create-task:highest:built-in/fail-queue:create-task:highest:built-in/succeed-queue:route:index.project.taskcluster.smoketest.*-queue:scheduler-id:smoketest-secrets:get:project/taskcluster/smoketest/*-secrets:set:project/taskcluster/smoketest/*to:-roles:-project:taskcluster:smoketests-grant:-assume:project:taskcluster:smoketeststo:-groups:-team_taskcluster-team_services_ops-grant:# Let cloudops manage the notify denylist to deal with bounces.-notify:manage-denylist# Allow cloudops to access tokens for clients that they manage.-auth:reset-access-token:project/releng/scriptworker/cloudops-canaryto:-groups:-team_services_ops### hook scopes# this scope is included in the decision task's .scopes, and indicates which# in-tree action hooks may be triggered for the taskgroup. We use this to limit# the actions on a taskgraph to those at the appropriate level, preventing# someone with level-3 access from being tricked into running a level-3 hook on# a level-1 (try) push.-grant:-in-tree:hook-action:project-{trust_domain}/in-tree-action-{level}-*to:-project:feature:gecko-actionsjob:-branch:*-cron:*-action:release-promotion# control who can run generic actions: basically anyone at the project's# level or higher. The backfill action is similarily unrestricted, but has# a seperate action permision, to allow it to trigger actions.-grant:-hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*-hooks:trigger-hook:project-comm/in-tree-action-1-generic/*-hooks:trigger-hook:project-kaios/in-tree-action-1-generic/*-hooks:trigger-hook:project-gecko/in-tree-action-1-backfill/*-hooks:trigger-hook:project-comm/in-tree-action-1-backfill/*-hooks:trigger-hook:project-kaios/in-tree-action-1-backfill/*to:-groups:-active_scm_level_1-active_scm_level_2-active_scm_level_3-grant:-hooks:trigger-hook:project-gecko/in-tree-action-2-generic/*-hooks:trigger-hook:project-comm/in-tree-action-2-generic/*-hooks:trigger-hook:project-kaios/in-tree-action-2-generic/*-hooks:trigger-hook:project-gecko/in-tree-action-2-backfill/*-hooks:trigger-hook:project-comm/in-tree-action-2-backfill/*-hooks:trigger-hook:project-kaios/in-tree-action-2-backfill/*to:-groups:-active_scm_level_2-active_scm_level_3-grant:-hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*-hooks:trigger-hook:project-comm/in-tree-action-3-generic/*-hooks:trigger-hook:project-gecko/in-tree-action-3-backfill/*-hooks:trigger-hook:project-comm/in-tree-action-3-backfill/*to:-groups:-active_scm_level_3# retriggering a decision requires a lot of scopes, so only sheriffs# and releng can do it-grant:-hooks:trigger-hook:project-gecko/in-tree-action-1-retrigger-decision/*-hooks:trigger-hook:project-comm/in-tree-action-1-retrigger-decision/*-hooks:trigger-hook:project-gecko/in-tree-action-2-retrigger-decision/*-hooks:trigger-hook:project-comm/in-tree-action-2-retrigger-decision/*-hooks:trigger-hook:project-gecko/in-tree-action-3-retrigger-decision/*-hooks:trigger-hook:project-comm/in-tree-action-3-retrigger-decision/*to:-groups:-sheriff# In addition to the default scopes, retriggering a decision task requires# the scopes of a decision task. These differ per project, so we use some# substitution to generate the correct values-grant:-assume:repo:hg.mozilla.org/{repo_path}:branch:default-in-tree:hook-action:project-gecko/in-tree-action-{level}-*to:-projects:feature:gecko-actionsjob:action:retrigger-decision# Similarly with purging caches-grant:-hooks:trigger-hook:project-gecko/in-tree-action-1-purge-caches/*-hooks:trigger-hook:project-comm/in-tree-action-1-purge-caches/*-hooks:trigger-hook:project-gecko/in-tree-action-2-purge-caches/*-hooks:trigger-hook:project-comm/in-tree-action-2-purge-caches/*-hooks:trigger-hook:project-gecko/in-tree-action-3-purge-caches/*-hooks:trigger-hook:project-comm/in-tree-action-3-purge-caches/*to:-groups:-sheriff# pretty much anyone can cancel-all at level 1 or 2, while only releng/sheriff# can do so at level 3-grant:-hooks:trigger-hook:project-gecko/in-tree-action-1-cancel-all/*-hooks:trigger-hook:project-comm/in-tree-action-1-cancel-all/*-hooks:trigger-hook:project-gecko/in-tree-action-2-cancel-all/*-hooks:trigger-hook:project-comm/in-tree-action-2-cancel-all/*to:-groups:-active_scm_level_1-active_scm_level_2-active_scm_level_3-sheriff-grant:-hooks:trigger-hook:project-gecko/in-tree-action-3-cancel-all/*-hooks:trigger-hook:project-comm/in-tree-action-3-cancel-all/*to:-groups:-sheriff# Thunderbird releng can only cancel-all on comm trees-grant:-hooks:trigger-hook:project-comm/in-tree-action-3-cancel-all/*to:-groups:-thunderbird-releng# tooltool.mozilla-releng.net and tokens.mozilla-releng.net scopes-grant:-project:releng:services/tooltool/api/download/publicto:-groups:-active_scm_level_1-active_scm_level_2-active_scm_level_3-team_moco-grant:-project:releng:services/tooltool/api/download/internal-project:releng:services/tooltool/api/download/publicto:-groups:-team_moco-grant:-project:releng:services/tooltool/api/download/public-project:releng:services/tooltool/api/upload/public-project:releng:services/tooltool/api/manageto:-groups:-tooltooleditor-public-grant:-project:releng:services/tooltool/api/download/internal-project:releng:services/tooltool/api/upload/internal-project:releng:services/tooltool/api/manageto:-groups:-tooltooleditor-internal-grant:-secrets:get:project/comm/*-secrets:set:project/comm/*to:-groups:thunderbird-releng-grant:# Grant everyone with Try access the schedulerId taskcluster-ui, so they can# create tasks with the task-creator in the UI-queue:scheduler-id:taskcluster-uito:-groups:-active_scm_level_1-active_scm_level_2-active_scm_level_3# Allow bitbar to manage bitbar workers-grant:-assume:worker-type:bitbar/*-queue:worker-id:bitbar-*-auth:create-client:bitbar/*-auth:delete-client:bitbar/*-auth:disable-client:bitbar/*-auth:enable-client:bitbar/*-auth:reset-access-token:bitbar/*-auth:update-client:bitbar/*to:-groups:-bitbar# Bug 1610751 - allow Sheriffs to trigger on-demand Fenix Raptor tests against# the latest commit-grant:-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/raptorto:-groups:-sheriff# Allow MozillaOnline to create builds# See https://bugzilla.mozilla.org/show_bug.cgi?id=1515990# This should also grant# assume:project-admin:mozillaonline# but that currently creates a dependency cylce (Bug 1531166) so# that scope is granted directly, along side this one.-grant:# These are public-secrets:get:project/taskcluster/gecko/hgfingerprint-secrets:get:project/taskcluster/gecko/hgmointernal# Allow access to dedicated worker-types-queue:create-task:highest:mozillaonline-1/*-queue:create-task:highest:mozillaonline-3/*# Allow acceess scopes worker caches-docker-worker:cache:mozillaonline-level-1-*-docker-worker:cache:mozillaonline-level-3-*# Allow access to private toolchains from mozilla-central-queue:get-artifact:project/gecko/*# Allow acess to API keys-secrets:get:project/releng/gecko/build/level-1/*# Allow access to public tooltool artifacts-docker-worker:relengapi-proxy:tooltool.download.public-project:releng:services/tooltool/api/download/public# Allow a sensible scheduler-id-queue:scheduler-id:mozillaonline-*# Allows cancelling tasks with that scheduler-id-queue:cancel-task:mozillaonline-*# Allow reruning tasks with that scheduler-id-queue:rerun-task:mozillaonline-*to:-groups:-mozillaonline-grant:# Grant cloudops the ability to manage product-details secrets (Bug 1527571)-secrets:get:repo:github.com/mozilla-releng/product-details*-secrets:set:repo:github.com/mozilla-releng/product-details*to:-groups:-cloudops-grant:# Grant mobile the ability to manually start release automation-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/api-docs-update-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/nightly-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/suffixlist-update-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-reference-browser/bump-android-comp-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-reference-browser/nightly-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-firefox-ios/l10-screenshots-hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-focus-android/nightly-public-queue:rerun-task:mobile-level-*to:-groups:-mobile_releases-grant:# Grant security team access to secrets and artifacts for civet-secrets:get:project/civet/github-deploy-key-secrets:set:project/civet/github-deploy-key-queue:get-artifact:project/civet/*to:-groups:-civet-sec-inf-grant:# Grant security team access to secrets and artifacts for updatebot-secrets:get:project/updatebot/*-secrets:set:project/updatebot/*-queue:get-artifact:project/updatebot/*to:-groups:-updatebot-sec-inf-grant:# Grant mobile the ability to see and modify their secrets-secrets:get:project/mobile/*-secrets:set:project/mobile/*to:-groups:-mobile_releases# Code Coverage runtime roles# Project https://github.com/mozilla/code-coverage# The Heroku apps can:# - trigger the code coverage repo hook# - read their configuration in secrets# - send report emails to admins-grant:-notify:email:*to:-roles:-project:relman:code-coverage/runtime/testing-project:relman:code-coverage/runtime/production-grant:-hooks:trigger-hook:project-relman/code-coverage-repo-testing-secrets:get:project/relman/code-coverage/runtime-testingto:-roles:-project:relman:code-coverage/runtime/testing-grant:-hooks:trigger-hook:project-relman/code-coverage-repo-production-secrets:get:project/relman/code-coverage/runtime-productionto:-roles:-project:relman:code-coverage/runtime/production-grant:-hooks:trigger-hook:project-relman/code-coverage-repo-testing-hooks:trigger-hook:project-relman/code-coverage-cron-testing-hooks:trigger-hook:project-relman/code-coverage-cron-production-hooks:trigger-hook:project-relman/code-coverage-repo-production-secrets:get:project/relman/code-coverage/*-secrets:set:project/relman/code-coverage/*-queue:create-task:lowest:code-coverage/botto:-roles:-mozillians-group:code-coverage-developers# Bugzilla dashboard runtime roles-grant:-hooks:trigger-hook:project-relman/bugzilla-dashboard-backend-testing-hooks:trigger-hook:project-relman/bugzilla-dashboard-backend-production-secrets:get:project/relman/bugzilla-dashboard/*-secrets:set:project/relman/bugzilla-dashboard/*to:-roles:-mozillians-group:bugzilla-dashboard-developers# Grant access to Bugzilla dashboard's specific private artifacts such as# `product_component_data.json` to all Mozilla employees# Also grand access to the org payload as a secret-grant:-queue:get-artifact:project/relman/bugzilla-dashboard/*-secrets:get:project/relman/bugzilla-dashboard/orgto:-groups:-team_moco# Bug 1607198 - grant access to coverity project. For now we start with one# developer but should we ever need more, we can create a Mozillians group-grant:-secrets:set:project/relman/coverity-secrets:set:project/relman/coverity-nssto:-group:-code-review-developers# Bug 1534463: allow `vpn_hg_admin` group to access Mercurial related secrets-grant:-secrets:set:project/taskcluster/gecko/hgfingerprint-secrets:set:project/taskcluster/gecko/hgmointernal-secrets:get:project/taskcluster/gecko/hgfingerprint-secrets:get:project/taskcluster/gecko/hgmointernalto:-groups:-vpn_hg_admin# Code Analysis CI-grant:# Allow code-review developers to create tasks directly-assume:repo:github.com/mozilla/code-review:pull-request# Allow code-review developers to trigger their hooks-hooks:trigger-hook:project-relman/code-review-*to:-group:-code-review-developers# Code Review runtime roles# Project https://github.com/mozilla/code-review# The Heroku apps can:# - read their configuration in secrets# - send report emails to admins# - trigger the bot hook-grant:-notify:email:*-hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*to:-roles:-project:relman:code-review/runtime/testing-project:relman:code-review/runtime/production-grant:-secrets:get:project/relman/code-review/runtime-testing-hooks:trigger-hook:project-relman/code-review-testingto:-roles:-project:relman:code-review/runtime/testing-grant:-secrets:get:project/relman/code-review/runtime-production-hooks:trigger-hook:project-relman/code-review-productionto:-roles:-project:relman:code-review/runtime/production-grant:-secrets:get:project/relman/code-review/*-secrets:set:project/relman/code-review/*-queue:create-task:lowest:code-review/botto:-group:-code-review-developers-grant:# Grant taskcluster team permission to reset access tokens for nss workers-auth:reset-access-token:project/nss-nspr/*to:-group:-team_taskcluster# Non-Moco Sheriffs-basic# contributors in the Sheriffs group that need:# * retriggering and rerunning tasks on production trees# * dashboard showing CI automation tasks waiting for getting a machine-grant:-queue:rerun-task:gecko-level-*to:-group:-non-moco-sheriffs-basic# Bug 1604686: Token for gfx github sync, ability to set and get-grant:-secrets:get:project/webrender-ci/wrupdater-github-token-secrets:set:project/webrender-ci/wrupdater-github-token-secrets:get:gecko/gfx-github-sync/token-secrets:set:gecko/gfx-github-sync/tokento:-roles:-mozillians-group:webrender-ci# Mappings from `mozilla-group`s to `project-releng:ci-group`s# This indirection exists because modifying `mozilla-group`s requires# access to the root credentials.-grant:-assume:project:releng:ci-group:civet-sec-infto:-roles:-mozillians-group:civet-sec-inf-grant:-assume:project:releng:ci-group:updatebot-sec-infto:-roles:-mozillians-group:updatebot-sec-inf-grant:-assume:project:releng:ci-group:code-review-developersto:-roles:-mozillians-group:code-review-developers-grant:-assume:project:releng:ci-group:mobile_releasesto:-roles:-mozilla-group:mobile_releases-grant:-assume:project:releng:ci-group:team_mocoto:-roles:-mozilla-group:team_moco-grant:-assume:project:releng:ci-group:sheriffto:-roles:-mozilla-group:sheriff-grant:-assume:project:releng:ci-group:non-moco-sheriffs-basicto:-roles:-mozillians-group:non-moco-sheriffs-basic-grant:-assume:project:releng:ci-group:team_taskclusterto:-roles:-mozilla-group:team_taskcluster-grant:-assume:project:releng:ci-group:team_services_opsto:-roles:-mozilla-group:team_services_ops-grant:-assume:project:releng:ci-group:tooltooleditor-publicto:-roles:-mozilla-group:tooltooleditor-public-grant:-assume:project:releng:ci-group:tooltooleditor-internalto:-roles:-mozilla-group:tooltooleditor-internal-grant:-assume:project:releng:ci-group:mozillaonlineto:-roles:-mozillians-group:fennec-china-build-grant:-assume:project:releng:ci-group:vpn_hg_adminto:-roles:-mozilla-group:vpn_hg_admin-grant:-assume:project:releng:ci-group:thunderbird-sheriffto:-roles:# Geoff Lankow (https://bugzilla.mozilla.org/show_bug.cgi?id=1520433)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|geoff# Magnus Melin (https://bugzilla.mozilla.org/show_bug.cgi?id=1605714)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|mkmelin# Patrick Cloke (https://bugzilla.mozilla.org/show_bug.cgi?id=1595942)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|clokep# Ian Neal (https://bugzilla.mozilla.org/show_bug.cgi?id=1595942)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|iann_cvs-grant:-assume:project:releng:ci-group:thunderbird-relengto:-roles:# Rob Lemley [:rjl] (https://bugzilla.mozilla.org/show_bug.cgi?id=1496783)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|thunderbird# Dave Miller [:justdave] (https://bugzilla.mozilla.org/show_bug.cgi?id=1668396)-login-identity:mozilla-auth0/ad|Mozilla-LDAP|justdave23-grant:-assume:project:releng:ci-group:team_mozillaonlineto:-roles:-mozilla-group:team_mozillaonline# https://bugzilla.mozilla.org/show_bug.cgi?id=1659596-grant:-hooks:trigger-hook:project-mobile/in-tree-action-1-generic/*-hooks:trigger-hook:project-mobile/in-tree-action-3-generic/*to:-roles:-mozillians-group:android-components-developers# The 'anonymous' role defines scopes that are allowed for *any* API call; on other# words, these define public access.-grant:-auth:current-scopes-auth:expand-scopes-auth:get-client:*-auth:get-role:*-auth:list-clients-auth:list-roles-github:get-badge:*-github:get-repository:*-github:latest-status:*-github:list-builds-hooks:get:*-hooks:list-hooks:*-hooks:list-last-fires:*-hooks:status:*-index:find-task:*-index:list-namespaces:*-index:list-tasks:*-purge-cache:all-purge-requests-purge-cache:purge-requests:*-queue:get-artifact:public/*-queue:get-provisioner:*-queue:get-task:*-queue:get-worker-type:*-queue:get-worker:*-queue:list-artifacts:*-queue:list-dependent-tasks:*-queue:list-provisioners-queue:list-task-group:*-queue:list-worker-types:*-queue:list-workers:*-queue:pending-count:*-queue:status:*-secrets:list-secrets-worker-manager:get-worker-pool:*-worker-manager:get-worker:*-worker-manager:list-providers-worker-manager:list-worker-pool-errors:*-worker-manager:list-worker-pools-worker-manager:list-workers:*to:-roles:-anonymous# These grants are directly to the mozilla-group roles as they need# are the root of available scopes.-grant:-assume:github-admin:*-assume:hook-id:*-assume:login-identity:*-assume:moz-tree:*-assume:mozillians-group:*-assume:mozillians-user:*-assume:project-admin:*-assume:project:*-assume:repo:*-assume:worker-pool:*-assume:worker-type:*-auth:*-docker-worker:*-generic-worker:*-github:*-hooks:*-in-tree:*-index:*-notify:*-project:*-purge-cache:*-queue:*-scheduler:*-secrets:*-worker-manager:*-worker:*to:-roles:-mozilla-group:team_relops-mozilla-group:releng-grant:-assume:github-admin:*-assume:hook-id:*-assume:login-identity:*-assume:moz-tree:*-assume:mozillians-group:*-assume:mozillians-user:*-assume:project-admin:*-assume:project:*-assume:repo:*-assume:worker-pool:*-assume:worker-type:*-auth:*-docker-worker:*-generic-worker:*-github:*-hooks:*-in-tree:*-index:*-notify:*-project:*-purge-cache:*-queue:*-scheduler:*-secrets:*-worker-manager:*-worker:*to:-roles:-mozilla-group:team_taskclusterenvironments:staging# Bug 1669283: Secrets for mozperftest-grant:-secrets:get:project/releng/gecko/build/level-1/conditioned-profiles-secrets:set:project/releng/gecko/build/level-1/conditioned-profiles-secrets:get:project/releng/gecko/build/level-3/conditioned-profiles-secrets:set:project/releng/gecko/build/level-3/conditioned-profilesto:-roles:# Tarek Ziade-login-identity:mozilla-auth0/ad|Mozilla-LDAP|tziade# Bug 1672397: Scopes to use Taskcluster notify service-grant:-notify:email:perftest-alerts@mozilla.com-notify:email:dhunt@mozilla.com-notify:email:beatrice.acasandrei@softvision.com-notify:email:igoldan@mozilla.comto:-roles:# Beatrice Acasandrei - Softvision Sheriff contributor-login-identity:mozilla-auth0/ad|Mozilla-LDAP|bacasandrei
