# Grants of scopes to repos or user groups, or parts of projects
#
# Format:
# - grant:
# - <scope>
# - ..
# to:
# - <grantee>
# - ..
#
# The `grant` property specifies the scopes to be granted. Each will have {..}
# parameters expanded with parameters from the grantees selected.
#
# ## Projects
#
# A grantee can either be a project or a user group. A project looks like this:
#
# - projects:
# level: [2, 3] # condition
# job: ["branch:default", "cron:*"]
#
# The top-level property can be `projects` or `project`, whichever reads better.
#
# The conditions select matching projects from projects.yml. Each specifies a
# condition name and either a single value or an array of values. For an array
# of values, a project with any value in the array is matched. The conditions
# are AND'ed together. Available conditions are:
#
# * access
# * level (as derived from access or directly specified)
# * alias
# * feature (projects with the given feature or for `!feature`, projects without)
# * is_try (true/false)
# * trust_domain
# * job
#
# "job" is a little special: it is a list of the jobs on the matching projects
# to which the grant applies. These are suffixes to the `repo` roles,
# defaulting to "*":
#
# * * (all jobs on the repo)
# * branch:default (pushes to the repo)
# * cron:<job> (cron jobs; kleene-* is allowed)
# * action:<actionPerm> (action jobs; kleene-* is allowed)
#
# the following expansions of the granted scopes are performed:
#
# * {alias} (project alias)
# * {level} (numeric level; not substituted if this repo has no numeric level)
# * {repo_path} (path within repository (e.g. hg.mozilla.org or github.com, if repo is on that host)
# * {trust_domain}
#
# ## User Groups
#
# A user group grantee looks like this:
#
# - group: <groupName>
# or
# - groups: [<group1>, <group2>, ..]
#
# The property name can be `group` or `groups`, whichever reads better.
#
# The resulting scopes are granted to role `project:releng:ci-group:<groupName>`.
# Then `assume:project:releng:ci-group:<groupName>` to the appropriate access-control
# role, hopefully with the same name. This indirection exists because `mozilla-group`
# role changes need access to the cluster's root crendentials.
#
# No expansions are available for user groups.
---
# Platform roles
- grant:
# Scopes assigned to credentials generated by taskcluster-login; so, to human users.
# The `*` matches the user's identity as defined by the taskcluster-login service.
- auth:create-client:<..>/*
- auth:delete-client:<..>/*
- auth:reset-access-token:<..>/*
- auth:update-client:<..>/*
- queue:get-artifact:login-identity/<..>/*
- queue:create-task:highest:built-in/succeed
- queue:create-task:highest:built-in/fail
to:
- roles:
- login-identity:*
- grant:
- queue:claim-work:<..>
- queue:worker-id:*
- secrets:get:worker-type:<..>
- secrets:get:worker-pool:<..>
to:
- roles:
- worker-type:*
- grant:
- auth:websocktunnel-token:firefoxcitc/*
to:
- roles:
- worker-type:*
environments: firefoxci
- grant:
- auth:websocktunnel-token:cloudopsstage/*
to:
- roles:
- worker-type:*
environments: staging
- grant:
- auth:sentry:generic-worker
to:
- roles:
- worker-type:releng-hardware/*
- worker-type:performance-hardware/*
##
# scopes for all gecko-related projects
- grant:
# coalescing routes support dropping unnecessary tasks under load
- queue:route:coalesce.v1.{alias}.*
# allow fetching secrets appropriate to this level
- secrets:get:project/releng/{trust_domain}/build/level-{level}/*
# Provide access to sccache buckets
- assume:project:taskcluster:{trust_domain}:level-{level}-sccache-buckets
to:
- project:
feature: gecko-roles
- grant:
# access to workers; all levels have access to the same workers, but at
# different priorities and levels
- queue:create-task:{priority}:scriptworker-k8s/{trust_domain}-{level}-*
- queue:create-task:{priority}:scriptworker-k8s/{trust_domain}-t-*
to:
- project:
feature: gecko-roles
trust_domain: [gecko, comm]
- grant:
- queue:create-task:{priority}:scriptworker-k8s/{trust_domain}-1-*
to:
- project:
alias: maple
- grant:
- auth:aws-s3:read-write:comm-central-level-1-sccache-eu-central-1/*
- auth:aws-s3:read-write:comm-central-level-1-sccache-us-east-1/*
- auth:aws-s3:read-write:comm-central-level-1-sccache-us-west-1/*
- auth:aws-s3:read-write:comm-central-level-1-sccache-us-west-2/*
to:
- role:
- project:taskcluster:comm:level-1-sccache-buckets
- grant:
- auth:aws-s3:read-write:comm-central-level-2-sccache-eu-central-1/*
- auth:aws-s3:read-write:comm-central-level-2-sccache-us-east-1/*
- auth:aws-s3:read-write:comm-central-level-2-sccache-us-west-1/*
- auth:aws-s3:read-write:comm-central-level-2-sccache-us-west-2/*
to:
- role:
- project:taskcluster:comm:level-2-sccache-buckets
- grant:
- auth:aws-s3:read-write:comm-central-level-3-sccache-eu-central-1/*
- auth:aws-s3:read-write:comm-central-level-3-sccache-us-east-1/*
- auth:aws-s3:read-write:comm-central-level-3-sccache-us-west-1/*
- auth:aws-s3:read-write:comm-central-level-3-sccache-us-west-2/*
to:
- role:
- project:taskcluster:comm:level-3-sccache-buckets
- grant:
- auth:aws-s3:read-write:taskcluster-level-1-sccache-eu-central-1/*
- auth:aws-s3:read-write:taskcluster-level-1-sccache-us-east-1/*
- auth:aws-s3:read-write:taskcluster-level-1-sccache-us-west-1/*
- auth:aws-s3:read-write:taskcluster-level-1-sccache-us-west-2/*
- auth:gcp:access-token:sccache-3/sccache-l1*
to:
- role:
- project:taskcluster:gecko:level-1-sccache-buckets
- grant:
- auth:aws-s3:read-write:taskcluster-level-2-sccache-eu-central-1/*
- auth:aws-s3:read-write:taskcluster-level-2-sccache-us-east-1/*
- auth:aws-s3:read-write:taskcluster-level-2-sccache-us-west-1/*
- auth:aws-s3:read-write:taskcluster-level-2-sccache-us-west-2/*
- auth:gcp:access-token:sccache-3/sccache-l2*
to:
- role:
- project:taskcluster:gecko:level-2-sccache-buckets
- grant:
- auth:aws-s3:read-write:taskcluster-level-3-sccache-eu-central-1/*
- auth:aws-s3:read-write:taskcluster-level-3-sccache-us-east-1/*
- auth:aws-s3:read-write:taskcluster-level-3-sccache-us-west-1/*
- auth:aws-s3:read-write:taskcluster-level-3-sccache-us-west-2/*
- auth:gcp:access-token:sccache-3/sccache-l3*
to:
- role:
- project:taskcluster:gecko:level-3-sccache-buckets
- grant:
# access to workers; all levels have access to the same workers, but at
# different priorities and levels
- queue:create-task:{priority}:bitbar/gecko-t-*
- queue:create-task:{priority}:gecko-{level}/*
- queue:create-task:{priority}:gecko-t/*
- queue:create-task:{priority}:releng-hardware/gecko-{level}-*
- queue:create-task:{priority}:releng-hardware/gecko-t-*
- queue:create-task:{priority}:performance-hardware/gecko-t-*
# access to openh264 artifacts; necessary for symbol upload and signing when
# building new openh264 binaries
- queue:get-artifact:private/openh264/*
to:
- project:
feature: gecko-roles
trust_domain: gecko
- grant:
# Let's not require a separate level 2 pool for hardware
- queue:create-task:{priority}:releng-hardware/gecko-1-*
to:
- project:
feature: gecko-roles
trust_domain: [gecko, kaios]
level: 2
- grant:
- queue:get-artifact:private/openh264/*
to:
- groups:
- team_moco
- grant:
# access to OSX testers
- queue:create-task:{priority}:releng-hardware/gecko-t-osx-*
to:
- project:
feature: gecko-roles
trust_domain: comm
# moz-tree roles include the basic scopes available to version-control trees at
# each of the three Mozilla source-code management levels. They are useful as
# shorthand to configure `repo:*` roles. While most scopes are still contained
# in these grants, prefer to add new grants as separate stanzas in this file,
# and remove scopes from these grants.
# moz-tree:level:1:*
- grant:
- docker-worker:capability:device:loopbackAudio
- docker-worker:capability:device:loopbackVideo
- docker-worker:capability:privileged
- docker-worker:feature:allowPtrace
- index:insert-task:garbage.*
- notify:email:*
- purge-cache:{trust_domain}-{level}/*
- purge-cache:{trust_domain}-t/*
- queue:get-artifact:project/gecko/*
- queue:route:index.garbage.*
- queue:route:notify.*
- secrets:get:project/taskcluster/gecko/hgfingerprint
- secrets:get:project/taskcluster/gecko/hgmointernal
- secrets:get:project/perftest/gecko/level-{level}/*
to:
- projects:
feature: gecko-roles
level: [1, 2, 3]
# moz-tree:level:1:gecko
- grant:
- generic-worker:os-group:gecko-t/t-win7-32/Administrators
- generic-worker:os-group:gecko-t/t-win7-32-beta/Administrators
- generic-worker:os-group:gecko-t/t-win10-64/Administrators
- generic-worker:os-group:gecko-t/t-win10-64-alpha/Administrators
- generic-worker:os-group:gecko-t/t-win10-64-beta/Administrators
- generic-worker:os-group:gecko-t/win10-64-2004/Administrators
- generic-worker:run-as-administrator:gecko-t/t-win10-64
- generic-worker:run-as-administrator:gecko-t/t-win10-64-alpha
- generic-worker:run-as-administrator:gecko-t/t-win10-64-beta
- generic-worker:run-as-administrator:gecko-t/win10-64-2004
- project:releng:addons.mozilla.org:server:staging
- project:releng:balrog:action:*
- project:releng:balrog:channel:*
- project:releng:balrog:server:dep
- project:releng:beetmover:action:*
- project:releng:beetmover:bucket:dep
- project:releng:beetmover:bucket:dep-partner
- project:releng:beetmover:bucket:maven-staging
- project:releng:bouncer:action:*
- project:releng:bouncer:server:staging
- project:releng:bouncer:server:staging-nazgul
- project:releng:flathub:firefox:mock
- project:releng:microsoftstore:mock
- project:releng:ship-it:action:create-new-release
- project:releng:ship-it:action:mark-as-shipped
- project:releng:ship-it:action:mark-as-started
- project:releng:ship-it:server:staging
- project:releng:signing:cert:dep-signing
- project:releng:signing:format:*
- project:releng:treescript:action:*
- project:releng:treescript:action:tagging
- queue:create-task:medium:proj-autophone/*
- queue:create-task:low:bitbar/gecko-t-*
- queue:create-task:low:scriptworker-prov-v1/depsigning-mac-v1
- queue:create-task:low:scriptworker-prov-v1/depsigning-mac-v1-dev
- queue:get-artifact:releng/partner/*
to:
- projects:
feature: gecko-roles
level: [1, 2, 3]
trust_domain: gecko
# moz-tree:level:1:gecko (staging deployment)
- grant:
- generic-worker:allow-rdp:gecko-1/b-win*
- generic-worker:allow-rdp:gecko-t/t-win*
- generic-worker:allow-rdp:gecko-1/win*
- generic-worker:allow-rdp:gecko-t/win*
- generic-worker:os-group:gecko-t/t-win7-32/Administrators
- generic-worker:os-group:gecko-t/t-win7-32-beta/Administrators
- generic-worker:os-group:gecko-t/t-win10-64/Administrators
- generic-worker:os-group:gecko-t/t-win10-64-alpha/Administrators
- generic-worker:os-group:gecko-t/t-win10-64-beta/Administrators
- generic-worker:os-group:gecko-t/win10-64-2004/Administrators
- generic-worker:run-as-administrator:gecko-t/t-win10-64
- generic-worker:run-as-administrator:gecko-t/t-win10-64-alpha
- generic-worker:run-as-administrator:gecko-t/t-win10-64-beta
- generic-worker:run-as-administrator:gecko-t/win10-64-2004
- project:releng:addons.mozilla.org:server:staging
- project:releng:balrog:action:*
- project:releng:balrog:channel:*
- project:releng:balrog:server:dep
- project:releng:beetmover:action:*
- project:releng:beetmover:bucket:dep
- project:releng:beetmover:bucket:dep-partner
- project:releng:beetmover:bucket:maven-staging
- project:releng:bouncer:action:*
- project:releng:bouncer:server:staging
- project:releng:bouncer:server:staging-nazgul
- project:releng:flathub:firefox:mock
- project:releng:microsoftstore:mock
- project:releng:ship-it:action:create-new-release
- project:releng:ship-it:action:mark-as-shipped
- project:releng:ship-it:action:mark-as-started
- project:releng:ship-it:server:staging
- project:releng:signing:cert:dep-signing
- project:releng:signing:format:*
- project:releng:treescript:action:*
- project:releng:treescript:action:tagging
- queue:create-task:medium:proj-autophone/*
- queue:create-task:low:bitbar/gecko-t-*
- queue:create-task:low:scriptworker-prov-v1/depsigning-mac-v1
- queue:create-task:low:scriptworker-prov-v1/depsigning-mac-v1-dev
- queue:get-artifact:releng/partner/*
to:
- projects:
feature: gecko-roles
level: [1, 2, 3]
trust_domain: gecko
environments: staging
# moz-tree:level:1:comm
- grant:
- project:comm:thunderbird:releng:balrog:action:*
- project:comm:thunderbird:releng:balrog:server:dep
- project:comm:thunderbird:releng:beetmover:action:*
- project:comm:thunderbird:releng:beetmover:bucket:dep
- project:comm:thunderbird:releng:bouncer:action:*
- project:comm:thunderbird:releng:bouncer:server:staging
- project:comm:thunderbird:releng:bouncer:server:staging-nazgul
- project:comm:thunderbird:releng:ship-it:action:mark-as-shipped
- project:comm:thunderbird:releng:ship-it:action:mark-as-started
- project:comm:thunderbird:releng:ship-it:server:staging
- project:comm:thunderbird:releng:signing:cert:dep-signing
- project:comm:thunderbird:releng:signing:format:*
- project:comm:thunderbird:releng:treescript:action:push
- project:comm:thunderbird:releng:treescript:action:tagging
- project:comm:thunderbird:releng:treescript:action:version_bump
- queue:create-task:low:scriptworker-prov-v1/tb-depsigning-mac-v1
- queue:get-artifact:project/comm/*
- secrets:get:project/comm/thunderbird/releng/build/level-1/*
to:
- projects:
feature: gecko-roles
level: [1, 2, 3]
trust_domain: comm
# moz-tree:level:2:*
- grant:
- docker-worker:capability:device:phone
- secrets:get:project/taskcluster/gecko/build/level-2/*
to:
- projects:
feature: gecko-roles
level: [2, 3]
# moz-tree:level:3:*
- grant:
- auth:aws-s3:read-write:public-qemu-images/repository/hg.mozilla.org/mozilla-central/*
- docker-worker:feature:balrogStageVPNProxy
- docker-worker:feature:balrogVPNProxy
- secrets:get:project/taskcluster/gecko/build/level-3/*
- secrets:get:project/civet/github-deploy-key
- queue:get-artifact:project/civet/*
to:
- projects:
feature: gecko-roles
level: [3]
# moz-tree:level:3:gecko
- grant:
- auth:aws-s3:read-write:tc-gp-private-1d-us-east-1/releng/mbsdiff-cache/
- project:releng:addons.mozilla.org:server:production
- project:releng:signing:cert:nightly-signing
- project:releng:signing:cert:release-signing
- queue:create-task:highest:proj-autophone/*
- queue:create-task:highest:scriptworker-prov-v1/depsigning-mac-v1
- queue:create-task:highest:scriptworker-prov-v1/signing-mac-v1
- queue:create-task:highest:scriptworker-prov-v1/mac-notarization-poller
- queue:route:index.gecko.heavyprofile.*
- queue:route:notify.email.release+tcstaging@mozilla.com.
- queue:route:notify.email.release-automation-notifications@mozilla.com.*
to:
- projects:
feature: gecko-roles
level: [3]
trust_domain: gecko
# moz-tree:level:3:comm
- grant:
- queue:create-task:highest:scriptworker-prov-v1/tb-depsigning-mac-v1
- queue:create-task:highest:scriptworker-prov-v1/tb-signing-mac-v1
- queue:create-task:highest:scriptworker-prov-v1/tb-mac-notarization-poller
- secrets:get:project/comm/thunderbird/releng/build/level-3/*
to:
- projects:
feature: gecko-roles
level: [3]
trust_domain: comm
# tooltool downloads
- grant:
- docker-worker:relengapi-proxy:tooltool.download.internal
- docker-worker:relengapi-proxy:tooltool.download.public
- project:releng:services/tooltool/api/download/internal
- project:releng:services/tooltool/api/download/public
# This cache contains cached downloads from tooltool. Since tooltool is
# content-addressible, and verifies hashes on files in the cache, there is no
# risk of cache poisoning or collisions.
- docker-worker:cache:tooltool-cache
to:
- projects:
feature: gecko-roles
level: [1, 2, 3]
- grant:
# Allow the backfill action to trigger the per-push action that schedules the backfilled tasks.
- hooks:trigger-hook:project-{trust_domain}/in-tree-action-{level}-backfill/*
to:
- projects:
job: ["action:backfill"]
feature: [gecko-roles, gecko-actions]
level: [1, 2, 3]
##
# project-specific scopes (for esr's to hang onto their old scopes)
- grant:
- project:releng:balrog:server:beta
- project:releng:balrog:server:esr
- project:releng:balrog:server:release
- project:releng:beetmover:bucket:maven-production
- project:releng:beetmover:bucket:partner
- project:releng:beetmover:bucket:release
- project:releng:bouncer:server:production
- project:releng:bouncer:server:production-nazgul
- project:releng:ship-it:server:production
to:
- projects:
job: ["action:release-promotion"]
trust_domain: gecko
level: [3]
alias: [mozilla-esr78, mozilla-esr91, mozilla-release, mozilla-beta]
# pushing RCs to beta
- grant:
- project:releng:flathub:firefox:stable
- project:releng:flathub:firefox:beta
to:
- projects:
job: ["action:release-promotion"]
trust_domain: gecko
level: [3]
alias: [mozilla-release]
- grant:
- project:releng:flathub:firefox:beta
to:
- projects:
job: ["action:release-promotion"]
trust_domain: gecko
level: [3]
alias: [mozilla-beta]
- grant:
- project:releng:microsoftstore:release
to:
- projects:
job: ["action:release-promotion"]
trust_domain: gecko
level: [3]
alias: [mozilla-release]
- grant:
- project:releng:microsoftstore:beta
to:
- projects:
job: ["action:release-promotion"]
trust_domain: gecko
level: [3]
alias: [mozilla-beta]
- grant:
- project:releng:ship-it:server:production
to:
- project:
job: ["cron:daily-releases"]
trust_domain: gecko
level: [3]
alias: [mozilla-beta]
- grant:
# Allow the scriptworker-canary cron hook to trigger the corresponding action.
- hooks:trigger-hook:project-{trust_domain}/in-tree-action-{level}-scriptworker-canary/*
to:
- project:
job: ['cron:scriptworker-canary']
trust_domain: gecko
level: [3]
alias: [mozilla-central, autoland]
- grant:
# Allow the scriptworker-canary action to access the trybld-scriptworker key.
- secrets:get:project/releng/scriptworker/scriptworker-canary-sshkey
to:
- project:
job: ['action:scriptworker-canary']
trust_domain: gecko
level: [3]
alias: [mozilla-central, autoland]
- grant:
- project:comm:thunderbird:releng:balrog:server:release
to:
- project:
job: ["action:release-promotion"]
trust_domain: comm
level: [3]
alias: [comm-esr91, comm-esr78]
- grant:
- project:comm:thunderbird:releng:balrog:server:beta
to:
- project:
job: ["action:release-promotion"]
trust_domain: comm
level: [3]
alias: comm-beta
- grant:
- project:comm:thunderbird:releng:signing:cert:nightly-signing
to:
- project:
alias: comm-central
- grant:
- project:comm:thunderbird:releng:signing:cert:release-signing
to:
- project:
level: [3]
alias: [comm-esr91, comm-esr78, comm-beta]
- grant:
- project:comm:thunderbird:releng:beetmover:bucket:release
- project:comm:thunderbird:releng:bouncer:server:production
- project:comm:thunderbird:releng:bouncer:server:production-nazgul
- project:comm:thunderbird:releng:ship-it:server:production
to:
- project:
job: ["action:release-promotion"]
trust_domain: comm
level: [3]
alias: [comm-esr91, comm-esr78, comm-beta]
- grant:
- project:releng:beetmover:bucket:nightly
- project:releng:balrog:server:nightly
to:
- project:
alias: ["oak", "cedar", "pine"]
# Bug 1702054: Scopes to trigger cron hooks on pine
- grant:
- hooks:trigger-hook:project-releng/cron-task-projects-pine/*
to:
- roles:
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|bgrinstead
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|dtownsend
# mkaply
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|mozilla234
# grant relman access to trigger mozilla-central & mozilla-releases hooks
- grant:
- hooks:trigger-hook:project-releng/cron-task-mozilla-central*
- hooks:trigger-hook:project-releng/cron-task-releases-mozilla*
to:
- groups:
- shipit_firefox
- grant:
# Bug 1527818: Coverity configuration is stored in this secret
- secrets:get:project/relman/coverity
# Bug 1527818: Coverity license is stored in this secret
# It should not be widely available
- secrets:get:project/relman/coverity-license
# Bug 1523321: Token for mirroring webrender to github
- secrets:get:project/webrender-ci/wrupdater-github-token
# Bug 1604686: Token for gfx github sync.
- secrets:get:gecko/gfx-github-sync/token
to:
- project:
alias: mozilla-central
- grant:
# Bug 1698511: Sentry API key is stored in this secret
- secrets:get:project/engwf/gecko/{level}/tokens
to:
- project:
alias: ["mozilla-central", "try"]
- grant:
# Grant engwf team access to secrets and artifacts for engwf
- secrets:get:project/engwf/*
- secrets:set:project/engwf/*
to:
- groups:
- engworkflow
- grant:
# Bug 1599870
- secrets:get:project/civet/github-deploy-key
- queue:get-artifact:project/civet/*
to:
- project:
alias:
- try
- grant:
# Bug 1618285 (Updatebot)
- secrets:get:project/updatebot/2/try-sshkey
- secrets:get:project/updatebot/2/phabricator-token
- secrets:get:project/updatebot/2/bugzilla-api-key
- secrets:get:project/updatebot/2/database-password
- secrets:get:project/updatebot/2/sentry-url
- secrets:get:project/updatebot/2/sql-proxy-config
- queue:get-artifact:project/updatebot/*
- hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
to:
- project:
alias:
- holly
level: 2
- grant:
# Bug 1618285 (Updatebot)
# Only grant the retrigger permission to -central/holly
- hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
to:
- project:
alias:
- mozilla-central
- holly
# This ensures that these are not granted to a level 1 repo
level: [2, 3]
- grant:
# Bug 1618285 (Updatebot)
- secrets:get:project/updatebot/3/try-sshkey
- secrets:get:project/updatebot/3/phabricator-token
- secrets:get:project/updatebot/3/bugzilla-api-key
- secrets:get:project/updatebot/3/database-password
- secrets:get:project/updatebot/3/sentry-url
- secrets:get:project/updatebot/3/sql-proxy-config
- queue:get-artifact:project/updatebot/*
to:
- project:
alias:
- mozilla-central
level: 3
- grant:
# Bug 1530376: Add scopes for Code Review bot in CI
- queue:route:project.relman.codereview.*
# Bug 1541147: Coverity configuration is stored in this secret
- secrets:get:project/relman/coverity
to:
- project:
alias: try
- grant:
# Bug 1616786 : Allow ci projects to trigger code review bot
- queue:route:project.relman.codereview.*
to:
- project:
alias: taskgraph-try
- project:
alias: ci-configuration-try
##
# Non-gecko tree projects
- grant:
- docker-worker:feature:allowPtrace
- queue:create-task:{priority}:localprovisioner/nss-aarch64
- queue:create-task:{priority}:localprovisioner/nss-macos-10-12
- queue:create-task:{priority}:localprovisioner/nss-rpi
- queue:route:index.docker.images.v1.nss.*
- project:releng:services/tooltool/api/download/internal
- project:releng:services/tooltool/api/download/public
to:
- project:
alias: nss
- grant:
- docker-worker:feature:allowPtrace
- queue:create-task:{priority}:localprovisioner/nss-aarch64
- queue:create-task:{priority}:localprovisioner/nss-macos-10-12
- queue:route:index.docker.images.v1.nss-try.*
- queue:route:project.relman.codereview.*
- secrets:get:project/relman/coverity-nss
- project:releng:services/tooltool/api/download/internal
- project:releng:services/tooltool/api/download/public
to:
- project:
alias: nss-try
- grant:
# These are public
- secrets:get:project/taskcluster/gecko/hgfingerprint
- secrets:get:project/taskcluster/gecko/hgmointernal
# Allow a sensible scheduler-id
- queue:scheduler-id:{trust_domain}-level-{level}
# Allows cancelling tasks with that scheduler-id
- queue:cancel-task:{trust_domain}-level-{level}/*
# Allow reruning tasks with that scheduler-id
- queue:rerun-task:{trust_domain}-level-{level}/*
# Allow creating tasks on workers associated to the trust-domain
- queue:create-task:{priority}:{trust_domain}-{level}/*
- queue:create-task:{priority}:{trust_domain}-t/*
- queue:create-task:{priority}:built-in/*
# routes to support locating tasks that create specific versions of artifacts
# (toolchains, etc.)
- queue:route:index.{trust_domain}.cache.level-{level}.*
- index:insert-task:{trust_domain}.cache.level-{level}.*
# allow fetching secrets appropriate to this level
- secrets:get:project/releng/{trust_domain}/build/level-{level}/*
# allow using worker caches appropriate to this trust domain and level
- docker-worker:cache:{trust_domain}-level-{level}-*
- generic-worker:cache:{trust_domain}-level-{level}-*
to:
- project:
feature: trust-domain-scopes
- grant:
# routes to support indexing by product
- queue:route:index.{trust_domain}.v2.{alias}.*
- index:insert-task:{trust_domain}.v2.{alias}.*
to:
- project:
include_pull_requests: false
feature: trust-domain-scopes
- grant:
# routes to support indexing by product
- queue:route:index.{trust_domain}.v2.{alias}-pr.*
- index:insert-task:{trust_domain}.v2.{alias}-pr.*
to:
- project:
job: ['pull-request']
feature: trust-domain-scopes
- grant:
# routes to support reporting to treeherder
- queue:route:tc-treeherder-stage.{alias}.*
- queue:route:tc-treeherder.{alias}.*
- queue:route:tc-treeherder-stage.v2.{alias}.*
- queue:route:tc-treeherder.v2.{alias}.*
to:
- project:
feature: treeherder-reporting
- grant:
# routes to support reporting to treeherder
- queue:route:tc-treeherder-stage.v2.{alias}-pr.*
- queue:route:tc-treeherder.v2.{alias}-pr.*
to:
- project:
job: ['pull-request']
feature: treeherder-reporting
- grant:
- queue:create-task:{priority}:hg-t/*
- queue:route:notify.irc-channel.*
- queue:route:tc-treeherder.v2.version-control-tools.*
to:
- project:
alias: version-control-tools
- grant:
- queue:create-task:low:aws-provisioner-v1/gecko-{level}-decision
- queue:create-task:low:aws-provisioner-v1/gecko-misc
- queue:create-task:low:aws-provisioner-v1/gecko-{level}-images
to:
- project:
trust_domain: [taskgraph, ci]
- grant:
- secrets:get:project/releng/taskgraph/ci
to:
- project:
alias: taskgraph
##
# feature-specific roles
- grant:
- queue:route:index.{trust_domain}.v2.trunk.revision.*
to:
- project:
feature: is-trunk
##
# mozilla roles
#
#
# FIXME: Bug 1632147 - app-services and glean should be merged under the same
# `trust_domain` so that scopes are bulked together like in the mobile world
#
# - glean specific roles
- grant:
- queue:create-task:highest:glean-{level}/*
- queue:route:index.project.glean.cache.level-{level}.*
# RELENG-798 - until we have a shared trust domain to push toolchain artifacts to
- queue:get-artifact:project/gecko/mac-sdk/*
- project:releng:services/tooltool/api/download/internal
- project:mozilla:{trust_project}:releng:signing:cert:dep-signing
- project:mozilla:{trust_project}:releng:signing:format:*
- project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven
- project:mozilla:{trust_project}:releng:beetmover:bucket:maven-staging
to:
- project:
alias: glean
- grant:
- project:mozilla:{trust_project}:releng:signing:cert:release-signing
- project:mozilla:{trust_project}:releng:beetmover:bucket:maven-production
- queue:route:notify.email.*
to:
- project:
alias: glean
level: 3
job: ["release"]
- grant:
# TODO Bug 1631839: Remove thisu scope once project has migrated to
# `index.glean.v2.*`.
- queue:route:index.project.glean.v2.branch.*
to:
- project:
alias: glean
job: ["branch:*", "release"]
# - application-services specific roles
- grant:
- docker-worker:taskcluster-proxy:tooltool.download.internal
# This docker worker cache is still used by the old decision task
- docker-worker:cache:application-services-*
- project:releng:services/tooltool/api/download/internal
- queue:route:index.project.application-services.*
- queue:create-task:highest:app-services-{level}/*
- queue:route:notify.email.*
- project:mozilla:{trust_project}:releng:signing:cert:dep-signing
- project:mozilla:{trust_project}:releng:signing:format:*
- project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven
- project:mozilla:{trust_project}:releng:beetmover:bucket:maven-staging
to:
- project:
alias: application-services
- grant:
- project:mozilla:{trust_project}:releng:signing:cert:release-signing
- secrets:get:project/application-services/gradle-plugin-publish
- secrets:get:project/application-services/publish
# TODO Bug 1597329 - Remove these 4 scopes once the naming scheme is applied to the workers
# Scopes are kind of duplicated because of this project doesn't use "assume:" scopes on the
# decision task, yet.
- queue:create-task:highest:scriptworker-k8s/appservices-3-signing
- queue:create-task:highest:scriptworker-k8s/appservices-3-beetmover
# TODO In bug 1632147 we will reorganize scriptworker scopes to re-use the
# `beetmover-maven-phase` once we have a new `trust_project` for this and
# `glean` project
- project:mozilla:{trust_project}:releng:beetmover:action:push-to-maven
- project:mozilla:{trust_project}:releng:beetmover:bucket:maven-production
to:
- project:
alias: application-services
level: 3
job: ["release"]
- grant:
- secrets:get:project/application-services/symbols-token
to:
- project:
alias: application-services
level: 3
job: ["release", "branch:*"]
# - scriptworker specific roles
- grant:
- secrets:get:repo:github.com/mozilla-releng/scriptworker:coveralls
- secrets:get:repo:github.com/mozilla-releng/scriptworker:github
to:
- project:
alias: scriptworker
job: ["pull-request", "branch:master"]
# - balrog specific roles
- grant:
- secrets:get:repo:github.com/mozilla-releng/balrog:coveralls
to:
- project:
alias: balrog
job: ["pull-request", "branch:master", "branch:main"]
- grant:
- queue:route:index.project.balrog.*
- queue:route:notify.*
- secrets:get:repo:github.com/mozilla-releng/balrog:dockerhub
to:
- project:
alias: balrog
job: ["branch:master", "branch:main"]
- grant:
- queue:route:index.project.balrog.*
- secrets:get:repo:github.com/mozilla-releng/balrog:dockerhub
# S3 creds are for deploying the UI
- secrets:get:repo:github.com/mozilla-releng/balrog:s3-prod-app-config
- secrets:get:repo:github.com/mozilla-releng/balrog:s3-prod-aws-creds
- secrets:get:repo:github.com/mozilla-releng/balrog:s3-stage-app-config
- secrets:get:repo:github.com/mozilla-releng/balrog:s3-stage-aws-creds
to:
- project:
alias: balrog
job: ["release"]
##
# mozilla-releng roles
#
# Grant these for all releng repos on github
- grant:
- notify:email:*
- notify:irc-channel:*
- notify:irc-user:*
- queue:route:garbage.*
- queue:route:index.garbage.*
- queue:route:notify.email.*
- queue:route:notify.irc-channel.*
- queue:route:notify.irc-user.*
- queue:scheduler-id:taskcluster-github
- queue:create-task:{priority}:{trust_domain}-{level}/*
- queue:create-task:{priority}:{trust_domain}-t/*
to:
- project:
trust_domain: releng
# - build-puppet has no custom roles.
# - k8s-autoscale roles
- grant:
- secrets:get:project/releng/k8s-autoscale/deploy
to:
- project:
alias: k8s-autoscale
job: ["branch:master", "branch:production"]
# - occ specific roles
- grant:
- queue:route:index.project.releng.opencloudconfig.v1.revision.*
to:
- project:
alias: occ
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:updatetooltoolrepo
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:updateworkertype
to:
- project:
alias: occ
job: ["branch:alpha", "branch:beta", "branch:master"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-gecko-1-b-win2012-alpha
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-alpha
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-alpha
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-alpha
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-a
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-alpha
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-a
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-alpha
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-alpha
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-alpha
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-a
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-alpha
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-a
to:
- project:
alias: occ
job: ["branch:alpha"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-gecko-1-b-win2012-beta
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-beta
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-beta
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-beta
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-b
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-beta
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-b
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2012-beta
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win2016-beta
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-beta
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win10-64-gpu-b
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-beta
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win7-32-gpu-b
to:
- project:
alias: occ
job: ["branch:beta"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:cot-*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-2-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-3-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-1-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-3-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-1-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-3-b-win*
- secrets:get:repo:github.com/mozilla-releng/OpenCloudConfig:relops*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-1-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-2-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-3-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:gecko-t-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-1-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-3-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-1-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:mozillavpn-3-b-win*
- secrets:set:repo:github.com/mozilla-releng/OpenCloudConfig:relops*
to:
- project:
alias: occ
job: ["branch:master"]
# - cloud-image-builder/cloud-image-deploy specific roles
- grant:
- auth:create-role:worker-pool:gecko-1/win*
- auth:create-role:worker-pool:gecko-t/win*
- auth:sentry:generic-worker
- auth:update-role:worker-pool:gecko-1/win*
- auth:update-role:worker-pool:gecko-t/win*
- auth:websocktunnel-token:cloudopsstage/*
- auth:websocktunnel-token:firefoxcitc/*
- queue:route:index.project.relops.*
- generic-worker:os-group:*
- generic-worker:run-as-administrator:*
- queue:create-task:{priority}:gecko-1/win*
- queue:create-task:{priority}:gecko-1/b-win*
- queue:create-task:{priority}:gecko-t/win*
- queue:create-task:{priority}:gecko-t/t-win*
- queue:create-task:{priority}:relops*
- secrets:get:project/relops/image-builder*
- secrets:get:project/relops/image-deploy*
- queue:scheduler-id:taskcluster-github
- worker-manager:manage-worker-pool:gecko-1/win*
- worker-manager:manage-worker-pool:gecko-1/b-win*
- worker-manager:manage-worker-pool:gecko-t/win*
- worker-manager:manage-worker-pool:gecko-t/t-win*
- worker-manager:manage-worker-pool:relops*
- worker-manager:provider:aws
- worker-manager:provider:azure
to:
- project:
alias: cloud-image-builder
job: ["branch:main"]
- project:
alias: cloud-image-deploy
job: ["branch:main"]
environment: staging
# - mapper specific roles
- grant:
- secrets:get:project/releng/mapper/ci
to:
- projects:
alias: mapper
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:project/releng/mapper/deploy
to:
- projects:
alias: mapper
job: ["branch:dev", "branch:staging", "branch:production"]
# - product-details specific roles
- grant:
- secrets:get:repo:github.com/mozilla-releng/product-details:branch:production
to:
- projects:
alias: product-details
job: ["branch:production"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/product-details:branch:staging
to:
- projects:
alias: product-details
job: ["branch:staging"]
- grant:
- secrets:get:repo:github.com/mozilla-releng/product-details:branch:testing
to:
- projects:
alias: product-details
job: ["branch:testing"]
# - shipit specific roles
- grant:
- secrets:get:project/releng/shipit/deploy
to:
- projects:
alias: shipit
job: ["branch:production", "branch:dev"]
# - tooltool specific roles
- grant:
- secrets:get:project/releng/tooltool/ci
to:
- projects:
alias: tooltool
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:project/releng/tooltool/deploy
to:
- projects:
alias: tooltool
job: ["branch:dev", "branch:staging", "branch:production"]
# - treestatus specific roles
- grant:
- secrets:get:project/releng/treestatus/ci
to:
- projects:
alias: treestatus
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:project/releng/treestatus/deploy
to:
- projects:
alias: treestatus
job: ["branch:dev", "branch:staging", "branch:production"]
##
# mobile-specific roles
#
# We refer to level 1 as the staging/development workflow for a given project
# (e.g. pull/requests and staging-triggered releases) while level 3 defines the
# production releases (Github-based releases or triggered via hooks)
#
# mobile:level:X:*
- grant:
- queue:create-task:highest:mobile-{level}/*
- queue:create-task:highest:mobile-t/*
- queue:create-task:{priority}:built-in/*
- queue:get-artifact:mobile/android-sdk/*
- queue:route:index.mobile.v2.{trust_project}.cache.level-{level}.*
- queue:route:notify.*
- queue:scheduler-id:{trust_domain}-level-{level}
- notify:email:*
- notify:slack-channel:*
- project:mobile:{trust_project}:releng:signing:cert:dep-signing
- project:mobile:{trust_project}:releng:signing:format:*
to:
- project:
feature: mobile-roles
- grant:
- secrets:get:project/releng/mobile/github-cron-token
to:
- project:
repo_type: ["git"]
job: ["cron:*"]
- grant:
# These tokens are considered public because they're available to Pull Requests. We need them
# there because we want coverage reports.
- secrets:get:project/mobile/{trust_project}/public-tokens
to:
- project:
feature: mobile-public-code-coverage
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:action:push-to-maven
to:
- project:
feature: beetmover-maven-phase
job: ["release", "pull-request", "action:release-promotion"]
- project:
feature: beetmover-maven-nightly-phase
job: ["cron:nightly"]
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-production
to:
- project:
feature: beetmover-maven-phase
level: 3
job: ["release", "action:release-promotion"]
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-staging
- project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-nightly-staging
to:
- project:
feature: beetmover-maven-phase
job: ["pull-request"]
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:bucket:maven-nightly-production
to:
- project:
feature: beetmover-maven-nightly-phase
level: 3
job: ["cron:nightly"]
- grant:
- project:{trust_domain}:{trust_project}:releng:beetmover:bucket:dep
- project:{trust_domain}:{trust_project}:releng:beetmover:action:direct-push-to-bucket
to:
- project:
feature: beetmover-phase
job: ["pull-request"]
- project:
feature: beetmover-phase
level: 1
job: ["action:release-promotion"]
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:bucket:nightly
- project:{trust_domain}:{alias}:releng:beetmover:action:direct-push-to-bucket
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
# TODO: Remove below once beetmover landed to prod workers
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-1-*
- project:{trust_domain}:{alias}:releng:beetmover:bucket:dep
to:
- project:
feature: beetmover-phase
level: 3
job: ["cron:nightly"]
- grant:
- project:{trust_domain}:{alias}:releng:beetmover:bucket:release
- project:{trust_domain}:{alias}:releng:beetmover:action:direct-push-to-bucket
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
to:
- project:
feature: beetmover-phase
level: 3
job: ["release", "action:release-promotion"]
- grant:
- project:{trust_domain}:{trust_project}:releng:github:action:release
to:
- project:
feature: github-publication
job: ["action:release-promotion", "release", "pull-request"]
- grant:
- project:{trust_domain}:{trust_project}:releng:github:project:{trust_project}
to:
- project:
feature: github-publication
level: 3
job: ["action:release-promotion", "release"]
- grant:
- project:{trust_domain}:{trust_project}:releng:github:project:mock
to:
- project:
feature: github-publication
level: 1
job: ["release", "action:release-promotion"]
- project:
feature: github-publication
job: ["pull-request"]
- grant:
- project:{trust_domain}:{trust_project}:releng:github:project:{alias}
to:
- project:
feature: github-publication
level: 1
job: ["action:release-promotion", "release"]
- grant:
- project:mobile:{trust_project}:releng:signing:cert:release-signing
to:
- project:
feature: mobile-sign-phase
level: 3
job: ["release", "cron:nightly", "action:release-promotion"]
- project:
alias: fenix
job: ["cron:nightly-on-google-play"]
- grant:
- queue:route:index.mobile.v2.{trust_project}.nightly.*
to:
- project:
feature: mobile-sign-phase
level: 3
job: ["cron:nightly"]
- project:
alias: fenix
job: ["cron:nightly-on-google-play"]
- grant:
- project:mobile:{trust_project}:releng:signing:cert:release-signing
to:
- project:
alias: android-components
job: ["release", "cron:nightly"]
- grant:
- queue:route:index.mobile.v2.{trust_project}.release.*
- project:mobile:{trust_project}:releng:github:project:android-components
- project:mobile:{trust_project}:releng:github:action:release
- project:mobile:{trust_project}:releng:signing:cert:release-signing
to:
- project:
alias: android-components
job: ["release", "action:release-promotion"]
- grant:
- queue:route:index.mobile.v2.{trust_project}.nightly.*
to:
- project:
alias: android-components
job: ["cron:nightly"]
- grant:
- project:mobile:{trust_project}:releng:beetmover:action:push-to-maven
- project:mobile:{trust_project}:releng:beetmover:bucket:maven-staging
- project:mobile:{trust_project}:releng:github:project:staging-android-components
- project:mobile:{trust_project}:releng:github:project:mock
- project:mobile:{trust_project}:releng:github:action:release
- queue:route:index.mobile.v2.{alias}.*
to:
- project:
alias: staging-android-components
- grant:
- project:mobile:{trust_project}:releng:googleplay:product:{trust_project}
to:
- project:
feature: mobile-pushapk-phase
level: 3
job: ["release", "cron:nightly", "action:release-promotion"]
- project:
alias: fenix
job: ["cron:nightly-on-google-play"]
- grant:
- project:mobile:{trust_project}:releng:googleplay:product:{trust_project}:dep
to:
- project:
feature: mobile-pushapk-phase
job: ["pull-request"]
- project:
feature: mobile-pushapk-phase
level: 1
job: ["release", "cron:*", "action:release-promotion"]
- grant:
- secrets:get:project/mobile/{trust_project}/firebase
to:
- project:
feature: mobile-firebase-testing
job: ["action:*", "branch:*"]
- project:
# Fenix PRs are restricted to collaborators, so exposing firebase is safe-enough for PRs.
# Fenix also has some Firebase tests on nightly.
alias: fenix
job: ["cron:nightly", "cron:nightly-on-google-play", "cron:screenshots", "pull-request"]
- project:
# Focus PRs are restricted to collaborators, so exposing firebase is safe-enough for PRs.
# Focus also has some Firebase tests on nightly.
alias: focus-android
job: ["cron:nightly", "pull-request"]
- project:
# TODO - remove once focus/taskcluster work is complete
alias: staging-focus-android
job: ["pull-request"]
- grant:
- secrets:get:project/mobile/github
to:
- project:
feature: mobile-bump-github
level: 3
job: ["cron:bump-*"]
- grant:
- project:mobile:{trust_project}:releng:signing:cert:dep-signing
- queue:create-task:highest:proj-autophone/gecko-t-ap-perf-g5
- queue:create-task:highest:proj-autophone/gecko-t-ap-perf-p2
- queue:create-task:highest:proj-autophone/gecko-t-bitbar-gw-perf-g5
- queue:create-task:highest:proj-autophone/gecko-t-bitbar-gw-perf-p2
to:
- project:
feature: autophone
job: ["pull-request"]
- project:
alias: fenix
job: ["cron:nightly"]
- project:
alias: reference-browser
job: ["branch:*"]
- grant:
- queue:route:index.{trust_domain}.v2.{trust_project}.performance-test.*
to:
- project:
alias: fenix
job: ["cron:nightly"]
- project:
alias: reference-browser
job: ["branch:master"]
- grant:
- queue:route:notify.email.perftest-alerts@mozilla.com.on-failed
to:
- project:
alias: fenix
job: ["cron:nightly"]
- project:
alias: reference-browser
job: ["branch:master"]
- grant:
- queue:route:notify.email.android-components-team@mozilla.com.on-failed
- queue:route:notify.email.geckoview-core@mozilla.com.on-failed
- project:mobile:{trust_project}:releng:beetmover:action:push-to-maven
- project:mobile:{trust_project}:releng:beetmover:bucket:maven-staging
- project:mobile:{trust_project}:releng:github:project:mock
- project:mobile:{trust_project}:releng:github:action:release
to:
- project:
alias: android-components
# Used in order to warn the AC team whenever a GV update cannot be merged
job: ["pull-request"]
- grant:
- project:releng:ship-it:action:mark-as-shipped
to:
- project:
feature: shipit
job: ["release", "pull-request"]
- project:
feature: ["shipit", "taskgraph-actions"]
job: ["action:release-promotion"]
- grant:
- project:releng:ship-it:server:production
to:
- project:
# TODO: in the glorious future when Fenix will solely be released via
# Ship-it we can remove the individual Github release section. But until
# then we need to support both for a smooth transition
level: 3
feature: shipit
job: ["release"]
- project:
level: 3
feature: ["shipit", "taskgraph-actions"]
job: ["action:release-promotion"]
- grant:
- project:releng:ship-it:server:staging
to:
- project:
# TODO: once pull-request-based staging releases are more stable and
# available for all mobile projects, we can get rid of this `level=1`
# section which addresses the RelEngers forks
level: 1
feature: shipit
job: ["release", "pull-request"]
- project:
level: 1
feature: ["shipit", "taskgraph-actions"]
job: ["action:release-promotion"]
- project:
level: 3
feature: ["shipit", "taskgraph-actions"]
job: ["pull-request"]
# fenix specific scopes
- grant:
- queue:route:index.project.fenix.android.preview-builds
- github:create-comment:mozilla-mobile/fenix
to:
- project:
alias: fenix
job: ["pull-request"]
- grant:
- secrets:get:project/mobile/fenix/public-tokens
to:
- project:
alias: fenix
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:project/mobile/fenix/nightly-simulation
to:
- project:
alias: fenix
job: ["branch:*"]
- grant:
# XXX `fennec-production-signing` handles beta signing too.
- project:mobile:fenix:releng:signing:cert:fennec-production-signing
# `production-signing` handles mozillaonline signing
- project:mobile:fenix:releng:signing:cert:production-signing
- secrets:get:project/mobile/fenix/beta
- secrets:get:project/mobile/fenix/release
- secrets:get:project/mobile/fenix/beta-mozillaonline
- secrets:get:project/mobile/fenix/release-mozillaonline
to:
- project:
alias: fenix
job: ["action:release-promotion", "release"]
- grant:
# TODO Change the following scope once `production` is entirely renamed to `nightly`
- project:mobile:fenix:releng:signing:cert:production-signing
- secrets:get:project/mobile/fenix/nightly
- queue:route:notify.email.fenix-eng-notifications@mozilla.com.on-failed
to:
- project:
alias: fenix
job: ["action:generic", "cron:nightly", "cron:nightly-on-google-play"]
- grant:
- queue:route:index.mobile.v2.staging-fenix.*
- queue:route:tc-treeherder.v2.fenix-pr.*
to:
- project:
alias: staging-fenix
- grant:
- queue:route:checks
- queue:scheduler-id:{trust_domain}-level-{level}
# allow using worker caches appropriate to this trust domain and level
- docker-worker:cache:{trust_domain}-level-{level}-*
- generic-worker:cache:{trust_domain}-level-{level}-*
to:
- project:
feature: github-taskgraph
- grant:
- queue:route:checks
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
to:
- project:
feature: scriptworker
# reference-browser specific scopes
- grant:
- secrets:get:project/mobile/reference-browser/nightly
to:
- projects:
alias:
- reference-browser
job: ["branch:*", "cron:nightly"]
- grant:
- secrets:get:project/mobile/reference-browser/nimbledroid
- secrets:get:project/mobile/reference-browser/sentry
- queue:route:notify.email.android-components-team@mozilla.com.on-failed
to:
- project:
alias: reference-browser
job: ["cron:nightly"]
# focus (android) scopes
- grant:
- queue:scheduler-id:taskcluster-github
- queue:route:statuses
to:
- project:
alias: focus-android
job: ["branch:*", "cron:*", "pull-request", "release"]
- grant:
- queue:route:notify.irc-channel.#android-ci.on-any
to:
- project:
alias: focus-android
job: ["branch:*", "pull-request"]
- grant:
- secrets:get:project/mobile/focus-android/nightly
- secrets:get:project/mobile/focus-android/beta
- secrets:get:project/mobile/focus-android/release
to:
- project:
alias: focus-android
job: ["release", "action:release-promotion", "cron:nightly"]
- grant:
- queue:route:index.v2.project.{trust_domain}.{trust_project}.release.*
- project:mobile:focus-android:releng:signing:cert:production-signing
to:
- project:
alias: focus-android
job: ["release", "action:release-promotion"]
- grant:
- queue:route:index.v2.project.{trust_domain}.{trust_project}.nightly.*
- queue:route:notify.email.firefox-focus@mozilla.com.on-failed
- project:mobile:focus-android:releng:signing:cert:production-signing
to:
- project:
alias: focus-android
job: ["cron:nightly"]
- grant:
- queue:route:index.mobile.v2.staging-focus-android.*
- queue:route:tc-treeherder.v2.focus-android-pr.*
to:
- project:
alias: staging-focus-android
# firefox-tv specific scopes
- grant:
- secrets:get:project/mobile/firefox-tv/tokens
- queue:route:index.project.{trust_domain}.{alias}.cache.level-{level}.*
to:
- project:
alias: firefox-tv
job: ["branch:*", "pull-request", "release"]
- grant:
- queue:route:notify.email.firefox-tv@mozilla.com.on-completed
- project:mobile:firefox-tv:releng:signing:cert:production-signing
to:
- project:
alias: firefox-tv
job: ["release"]
- grant:
- secrets:get:project/mobile/firefox-ios/bitrise
to:
- project:
alias: firefox-ios
job: ["cron:l10-screenshots", "action:*"]
- grant:
- secrets:get:project/mobile/focus-ios/bitrise
to:
- project:
alias: focus-ios
job: ["cron:l10-screenshots", "action:*"]
# L10n repositories
- grant:
- queue:create-task:highest:l10n-{level}/*
- queue:create-task:{priority}:built-in/*
- queue:route:index.{trust_domain}.{alias}.cache.level-{level}.*
- queue:route:notify.email.*
to:
- project:
alias:
- android-l10n-tooling
job: ["pull-request", "branch:*", "cron:*"]
- grant:
- secrets:get:l10n/level-{level}/*
to:
- project:
alias:
- android-l10n-tooling
job: ["branch:*", "cron:*"]
# Automation for l10n.mozilla.org
- grant:
- queue:create-task:highest:l10n-{level}/*
- queue:create-task:{priority}:built-in/*
- queue:route:index.{trust_domain}.{alias}.cache.level-{level}.*
- queue:scheduler-id:{trust_domain}-level-{level}
- docker-worker:cache:{trust_domain}-level-{level}-*
- generic-worker:cache:{trust_domain}-level-{level}-*
- queue:route:notify.email.*
- queue:route:checks
to:
- project:
alias:
- elmo-taskcluster
job: ["pull-request", "branch:*", "cron:*"]
- grant:
- secrets:get:l10n/level-{level}/*
to:
- project:
alias:
- elmo-taskcluster
job: ["branch:*", "cron:*"]
# Mozilla VPN
- grant:
- queue:create-task:{priority}:built-in/*
- queue:create-task:{priority}:mozillavpn-{level}/*
- queue:create-task:{priority}:releng-hardware/mozillavpn-b-{level}-*
- queue:route:index.{trust_domain}.cache.level-{level}.*
- queue:route:index.{trust_domain}.v2.{trust_project}.cache.level-{level}.*
- queue:scheduler-id:{trust_domain}-level-{level}
- docker-worker:cache:{trust_domain}-level-{level}-*
- generic-worker:cache:{trust_domain}-level-{level}-*
- queue:route:notify.email.*
- queue:route:checks
- queue:get-artifact:project/mozillavpn/*
# Create level-1 scopes explicitly
- queue:create-task:{priority}:mozillavpn-1/*
- queue:create-task:{priority}:releng-hardware/mozillavpn-b-1-*
- queue:route:index.{trust_domain}.cache.level-1.*
- queue:scheduler-id:{trust_domain}-level-1
- docker-worker:cache:{trust_domain}-level-1-*
- generic-worker:cache:{trust_domain}-level-1-*
to:
- project:
alias:
- mozilla-vpn-client
job: ["pull-request", "branch:*", "cron:*"]
- grant:
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
- project:mozillavpn:releng:signing:cert:dep-signing
to:
- project:
alias:
- mozilla-vpn-client
job:
- "branch:*"
- "pull-request"
- grant:
- project:{trust_project}:releng:signing:format:*
- project:releng:services/tooltool/api/download/public
- project:releng:services/tooltool/api/download/internal
to:
- project:
alias: mozilla-vpn-client
- grant:
- project:mozillavpn:releng:signing:cert:release-signing
- secrets:get:project/mozillavpn/tokens
to:
- project:
alias:
- mozilla-vpn-client
# Only enable this for main and release branches, so that in-repo branches
# don't get access to release signing.
job:
- "branch:main"
- "branch:releases/*"
# Bug 1745945: secret scopes for mozillavpn-developers
- grant:
- secrets:set:project/mozillavpn/*
- secrets:get:project/mozillavpn/*
- queue:rerun-task:mozillavpn-level-*
to:
- roles:
- mozillians-group:mozillavpn-developers
# XPI
- grant:
- project:xpi:releng:github:project:mozilla-releng/staging-xpi-*
- project:xpi:releng:github:action:release
- project:xpi:releng:signing:cert:dep-signing
- project:xpi:releng:ship-it:server:staging
- project:xpi:releng:ship-it:action:mark-as-shipped
- project:xpi:beetmover:action:*
- project:xpi:beetmover:bucket:dep
- project:xpi:balrog:action:*
- project:xpi:balrog:channel:*
- project:xpi:balrog:server:staging
- queue:create-task:highest:xpi-{level}/*
- queue:create-task:highest:xpi-t/*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
- queue:route:index.{trust_domain}.v2.xpi-manifest.*
- queue:route:index.xpi.cache.level-{level}.*
to:
- project:
alias:
- xpi-manifest
- staging-xpi-manifest
# Only enable this for main and actions.
# TODO: Remove "master" once fully switched to "main"
job: ["branch:main", "action:*"]
- grant:
- project:xpi:releng:github:project:mozilla-extensions/*
- project:xpi:releng:signing:cert:release-signing
- project:xpi:releng:ship-it:server:production
- project:xpi:beetmover:bucket:release
- project:xpi:balrog:server:release
to:
- project:
alias:
- xpi-manifest
# Only enable this for main and actions.
# TODO: Remove "master" once fully switched to "main"
job: ["branch:main", "action:*"]
- grant:
# access to workers; all levels have access to the same workers, but at
# different priorities and levels
- queue:route:index.xpi.xpi-manifest.cache.level-1.*
- queue:route:index.xpi.v2.*
- queue:route:index.xpi.cache.level-1.*
- queue:route:checks
- queue:scheduler-id:taskcluster-github
- queue:route:notify.email.*
- queue:create-task:low:built-in/*
- queue:create-task:low:xpi-1/*
- queue:create-task:low:xpi-t/*
- queue:get-artifact:xpi/*
- queue:scheduler-id:xpi-level-1
- docker-worker:cache:xpi-level-1-*
- secrets:get:project/xpi/xpi-github-clone-ssh
- project:xpi:releng:signing:cert:dep-signing
- queue:create-task:low:scriptworker-k8s/xpi-t-*
to:
- project:
feature: xpi-roles
job: ["pull-request", "branch:*", "cron:*", "action:*", "tag:*"]
- roles:
# The mozilla-extensions github organization is designed to allow for
# easily creating new repos for xpi source. Let's automatically
# give them level 1 scopes for master, PRs, and other branches.
- repo:github.com/mozilla-extensions/*
- repo:github.com/mozilla-releng/staging-xpi-*
- grant:
- queue:get-artifact:xpi/*
to:
- groups:
- team_moco
- team_mozillaonline
- grant:
- in-tree:hook-action:project-{trust_domain}/in-tree-action-{level}-*
to:
- project:
feature: taskgraph-actions
# Adhoc signing
- grant:
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-{level}-*
- queue:create-task:highest:scriptworker-prov-v1/{trust_domain}-t-*
- queue:create-task:highest:scriptworker-prov-v1/{trust_domain}-{level}-*
- queue:create-task:highest:adhoc-{level}/*
- queue:create-task:highest:adhoc-t/*
- queue:create-task:highest:scriptworker-prov-v1/{trust_domain}-signing-mac-dev
- queue:create-task:highest:scriptworker-prov-v1/{trust_domain}-{level}-*
- project:adhoc:releng:signing:cert:dep-signing
- project:adhoc:releng:ship-it:server:staging
- project:adhoc:releng:ship-it:action:mark-as-shipped
- queue:route:index.{trust_domain}.v2.{alias}.*
- queue:route:index.{trust_domain}.v2.staging-adhoc-manifest.*
- queue:route:index.adhoc-signing.cache.level-{level}.*
- queue:get-artifact:releng/adhoc/*
- queue:route:notify.email.*
to:
- project:
feature: adhoc-roles
job: ["branch:*", "action:*", "pull-request", "action:*", "cron:*"]
- grant:
- project:adhoc:releng:signing:cert:release-signing
- project:adhoc:releng:signing:cert:nightly-signing
- project:adhoc:releng:ship-it:server:production
- queue:route:index.{trust_domain}.v2.adhoc-manifest.*
to:
- project:
alias:
- adhoc-signing
# Only enable this for master and actions.
job: ["branch:master", "action:*"]
# Scriptworker and scriptworker-scripts
- grant:
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
- queue:create-task:highest:scriptworker-{level}/*
- queue:create-task:highest:scriptworker-t/*
- queue:create-task:highest:scriptworker-k8s/{trust_domain}-t-*
- queue:route:index.{trust_domain}.v2.{alias}.*
- queue:route:index.scriptworker.cache.level-{level}.*
# explicitly grant level 1 scopes for PRs
- queue:scheduler-id:scriptworker-level-1
- queue:create-task:highest:scriptworker-1/*
- queue:route:index.scriptworker.cache.level-1.*
to:
- project:
alias:
- scriptworker-scripts
job: ["branch:*", "action:*", "pull-request", "action:*", "cron:*"]
# - scriptworker-scripts specific roles
# XXX delete these once we port scriptworker-scripts cloudops deploys to CoT
# downloads
- grant:
- secrets:get:project/releng/scriptworker-scripts/deploy
to:
- projects:
alias: scriptworker-scripts
job: ["branch:production*", "branch:dev*"]
##
# delegate cron:nightly-* to hand-managed nightly roles
#
- grant:
- project:releng:balrog:channel:nightly
- project:releng:balrog:server:nightly
- project:releng:beetmover:bucket:dep
- project:releng:beetmover:bucket:nightly
- project:releng:beetmover:bucket:maven-production
- project:releng:bouncer:server:production
- project:releng:bouncer:server:production-nazgul
- project:releng:signing:cert:nightly-signing
to:
- project:
feature: gecko-cron
alias: mozilla-central
trust_domain: gecko
job: cron:nightly-*
- grant:
- assume:project:comm:thunderbird:comm:releng:nightly:level-{level}:{alias}
- project:comm:thunderbird:releng:balrog:server:nightly
- project:comm:thunderbird:releng:beetmover:bucket:nightly
- project:comm:thunderbird:releng:signing:cert:nightly-signing
to:
- project:
alias: comm-central
feature: gecko-cron
trust_domain: comm
job: cron:nightly-*
- grant:
- project:releng:beetmover:bucket:maven-production
to:
- project:
alias:
- mozilla-central
- mozilla-beta
- mozilla-release
job: cron:ship-geckoview
- project:
# We still support RELBRANCHes on mozilla-release. Geckoview gets automatically shipped on
# GECKOVIEW_\d+_RELBRANCH (\d+ being the major version)
alias: mozilla-release
# /!\ Relbranches currently use `branch:default`
job: branch:*
##
# Administrative Scopes
- grant:
# Allow sheriffs to quarantine gecko related workers
- queue:quarantine-worker:bitbar/gecko-*
- queue:quarantine-worker:gecko-1/*
- queue:quarantine-worker:gecko-3/*
- queue:quarantine-worker:gecko-t/*
- queue:quarantine-worker:proj-autophone/gecko-*
- queue:quarantine-worker:releng-hardware/gecko-*
- queue:quarantine-worker:mobile-*
# Allow sheriffs to terminate gecko/mobile related workers
- worker-manager:remove-worker:gecko-*
- worker-manager:remove-worker:mobile-*
# Allow sheriffs to rerun and cancel gecko tasks
# Allows cancelling tasks with that scheduler-id
- queue:cancel-task:gecko-level-*
- queue:rerun-task:gecko-level-*
# Allow managing treestatus
- project:releng:services/treestatus/*
# Allow triggering nightlies
- hooks:trigger-hook:project-releng/cron-task-mozilla-central/nightly-*
# Allow sheriffs to force schedule a decision task, whenever one has gone missing because of a
# bustage
- hooks:trigger-hook:hg-push/*
to:
- groups:
- sheriff
- perf_sheriff
- grant:
# Allow triggering nightlies and geckoview
- hooks:trigger-hook:project-releng/cron-task-mozilla-central/ship-geckoview
- hooks:trigger-hook:project-releng/cron-task-releases-mozilla-beta/ship-geckoview
- hooks:trigger-hook:project-releng/cron-task-releases-mozilla-release/ship-geckoview
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/nightly
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/nightly-on-google-play
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-focus-android/nightly
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-focus-android/nightly-public
to:
- groups:
- sheriff
- mobile_releases
- mobile_eng_ops
- grant:
# Allow to manage mobile trees
- queue:cancel-task:taskcluster-github/*
- queue:cancel-task:mobile-level-*
- queue:rerun-task:mobile-level-*
- hooks:trigger-hook:project-mobile/in-tree-action-1-generic/*
- hooks:trigger-hook:project-mobile/in-tree-action-3-generic/*
- hooks:trigger-hook:project-mobile/in-tree-action-1-cancel-all/*
- hooks:trigger-hook:project-mobile/in-tree-action-3-cancel-all/*
to:
- groups:
- sheriff
- perf_sheriff
- mobile_releases
- mobile_eng_ops
- mobile_test_ops
- grant:
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-beta
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-nightly
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/gv-update-release
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/bump-android-components
to:
- groups:
- mobile_releases
- mobile_eng_ops
- grant:
# Allow people with level-3 access to access interactive tasks
- queue:get-artifact:private/interactive/*
- queue:get-artifact:private/docker-worker/*
to:
- groups:
- active_scm_level_3
- grant:
# Allow triggering thunderbird nightlies
- hooks:trigger-hook:project-releng/cron-task-comm-central/nightly-*
# Allow managing treestatus (This should be limited to comm- trees, see Bug 1613551)
- project:releng:services/treestatus/*
to:
- groups:
- thunderbird-sheriff
- thunderbird-releng
- grant:
# Additional permissions for thunderbird-releng on comm level 3 tasks
# Merge Day Automation
- hooks:trigger-hook:project-comm/in-tree-action-1-merge-automation/*
- hooks:trigger-hook:project-comm/in-tree-action-2-merge-automation/*
- hooks:trigger-hook:project-comm/in-tree-action-3-merge-automation/*
# Allow cancel
- queue:cancel-task:comm-level-*
# Allow rerun
- queue:rerun-task:comm-level-*
to:
- groups:
- thunderbird-releng
- grant:
# permission to run Taskcluster's smoketests.
- auth:create-client:project/taskcluster/smoketest/*
- auth:create-role:project:taskcluster:smoketest:*
- auth:delete-client:project/taskcluster/smoketest/*
- auth:delete-role:project:taskcluster:smoketest:*
- auth:reset-access-token:project/taskcluster/smoketest/*
- auth:update-client:project/taskcluster/smoketest/*
- auth:update-role:project:taskcluster:smoketest:*
- project:taskcluster:smoketest:*
- purge-cache:built-in/succeed:smoketest-cache
- queue:create-task:highest:built-in/*
- queue:create-task:highest:built-in/fail
- queue:create-task:highest:built-in/succeed
- queue:route:index.project.taskcluster.smoketest.*
- queue:scheduler-id:smoketest
- secrets:get:project/taskcluster/smoketest/*
- secrets:set:project/taskcluster/smoketest/*
to:
- roles:
- project:taskcluster:smoketests
- grant:
- assume:project:taskcluster:smoketests
to:
- groups:
- team_taskcluster
- team_services_ops
- grant:
# Let cloudops manage the notify denylist to deal with bounces.
- notify:manage-denylist
# Allow cloudops to access tokens for clients that they manage.
- auth:reset-access-token:project/releng/scriptworker/cloudops-canary
to:
- groups:
- team_services_ops
##
# hook scopes
# this scope is included in the decision task's .scopes, and indicates which
# in-tree action hooks may be triggered for the taskgroup. We use this to limit
# the actions on a taskgraph to those at the appropriate level, preventing
# someone with level-3 access from being tricked into running a level-3 hook on
# a level-1 (try) push.
- grant:
- in-tree:hook-action:project-{trust_domain}/in-tree-action-{level}-*
to:
- project:
feature: gecko-actions
job:
- branch:*
- cron:*
- action:release-promotion
# control who can run generic actions: basically anyone at the project's
# level or higher. The backfill action is similarily unrestricted, but has
# a seperate action permision, to allow it to trigger actions.
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
- hooks:trigger-hook:project-comm/in-tree-action-1-generic/*
- hooks:trigger-hook:project-kaios/in-tree-action-1-generic/*
- hooks:trigger-hook:project-gecko/in-tree-action-1-backfill/*
- hooks:trigger-hook:project-comm/in-tree-action-1-backfill/*
- hooks:trigger-hook:project-kaios/in-tree-action-1-backfill/*
to:
- groups:
- active_scm_level_1
- active_scm_level_2
- active_scm_level_3
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-2-generic/*
- hooks:trigger-hook:project-comm/in-tree-action-2-generic/*
- hooks:trigger-hook:project-kaios/in-tree-action-2-generic/*
- hooks:trigger-hook:project-gecko/in-tree-action-2-backfill/*
- hooks:trigger-hook:project-comm/in-tree-action-2-backfill/*
- hooks:trigger-hook:project-kaios/in-tree-action-2-backfill/*
to:
- groups:
- active_scm_level_2
- active_scm_level_3
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-3-generic/*
- hooks:trigger-hook:project-comm/in-tree-action-3-generic/*
- hooks:trigger-hook:project-gecko/in-tree-action-3-backfill/*
- hooks:trigger-hook:project-comm/in-tree-action-3-backfill/*
to:
- groups:
- active_scm_level_3
- sheriff
- perf_sheriff
# retriggering a decision requires a lot of scopes, so only sheriffs
# and releng can do it
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-1-retrigger-decision/*
- hooks:trigger-hook:project-comm/in-tree-action-1-retrigger-decision/*
- hooks:trigger-hook:project-gecko/in-tree-action-2-retrigger-decision/*
- hooks:trigger-hook:project-comm/in-tree-action-2-retrigger-decision/*
- hooks:trigger-hook:project-gecko/in-tree-action-3-retrigger-decision/*
- hooks:trigger-hook:project-comm/in-tree-action-3-retrigger-decision/*
to:
- groups:
- sheriff
- perf_sheriff
# In addition to the default scopes, retriggering a decision task requires
# the scopes of a decision task. These differ per project, so we use some
# substitution to generate the correct values
- grant:
- assume:repo:hg.mozilla.org/{repo_path}:branch:default
- in-tree:hook-action:project-gecko/in-tree-action-{level}-*
to:
- projects:
feature: gecko-actions
job: action:retrigger-decision
# Similarly with purging caches
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-1-purge-caches/*
- hooks:trigger-hook:project-comm/in-tree-action-1-purge-caches/*
- hooks:trigger-hook:project-gecko/in-tree-action-2-purge-caches/*
- hooks:trigger-hook:project-comm/in-tree-action-2-purge-caches/*
- hooks:trigger-hook:project-gecko/in-tree-action-3-purge-caches/*
- hooks:trigger-hook:project-comm/in-tree-action-3-purge-caches/*
to:
- groups:
- sheriff
- perf_sheriff
# pretty much anyone can cancel-all at level 1 or 2, while only releng/sheriff
# can do so at level 3
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-1-cancel-all/*
- hooks:trigger-hook:project-comm/in-tree-action-1-cancel-all/*
- hooks:trigger-hook:project-gecko/in-tree-action-2-cancel-all/*
- hooks:trigger-hook:project-comm/in-tree-action-2-cancel-all/*
to:
- groups:
- active_scm_level_1
- active_scm_level_2
- active_scm_level_3
- sheriff
- perf_sheriff
- grant:
- hooks:trigger-hook:project-gecko/in-tree-action-3-cancel-all/*
- hooks:trigger-hook:project-comm/in-tree-action-3-cancel-all/*
to:
- groups:
- sheriff
- perf_sheriff
# Thunderbird releng can only cancel-all on comm trees
- grant:
- hooks:trigger-hook:project-comm/in-tree-action-3-cancel-all/*
to:
- groups:
- thunderbird-releng
# tooltool.mozilla-releng.net and tokens.mozilla-releng.net scopes
- grant:
- project:releng:services/tooltool/api/download/public
to:
- groups:
- active_scm_level_1
- active_scm_level_2
- active_scm_level_3
- team_moco
- grant:
- project:releng:services/tooltool/api/download/internal
- project:releng:services/tooltool/api/download/public
to:
- groups:
- team_moco
- grant:
- project:releng:services/tooltool/api/download/public
- project:releng:services/tooltool/api/upload/public
- project:releng:services/tooltool/api/manage
to:
- groups:
- tooltooleditor-public
- grant:
- project:releng:services/tooltool/api/download/internal
- project:releng:services/tooltool/api/upload/internal
- project:releng:services/tooltool/api/manage
to:
- groups:
- tooltooleditor-internal
- grant:
- secrets:get:project/comm/*
- secrets:set:project/comm/*
to:
- groups: thunderbird-releng
- grant:
# Grant everyone with Try access the schedulerId taskcluster-ui, so they can
# create tasks with the task-creator in the UI
- queue:scheduler-id:taskcluster-ui
to:
- groups:
- active_scm_level_1
- active_scm_level_2
- active_scm_level_3
# Allow bitbar to manage bitbar workers
- grant:
- assume:worker-type:bitbar/*
- queue:worker-id:bitbar-*
- auth:create-client:bitbar/*
- auth:delete-client:bitbar/*
- auth:disable-client:bitbar/*
- auth:enable-client:bitbar/*
- auth:reset-access-token:bitbar/*
- auth:update-client:bitbar/*
to:
- groups:
- bitbar
# Bug 1610751 - allow Sheriffs to trigger on-demand Fenix Raptor tests against
# the latest commit
- grant:
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-fenix/raptor
to:
- groups:
- sheriff
- perf_sheriff
# Allow MozillaOnline to create builds
# See https://bugzilla.mozilla.org/show_bug.cgi?id=1515990
# This should also grant
# assume:project-admin:mozillaonline
# but that currently creates a dependency cylce (Bug 1531166) so
# that scope is granted directly, along side this one.
- grant:
# These are public
- secrets:get:project/taskcluster/gecko/hgfingerprint
- secrets:get:project/taskcluster/gecko/hgmointernal
# Allow access to dedicated worker-types
- queue:create-task:highest:mozillaonline-1/*
- queue:create-task:highest:mozillaonline-3/*
# Allow acceess scopes worker caches
- docker-worker:cache:mozillaonline-level-1-*
- docker-worker:cache:mozillaonline-level-3-*
# Allow access to private toolchains from mozilla-central
- queue:get-artifact:project/gecko/*
# Allow acess to API keys
- secrets:get:project/releng/gecko/build/level-1/*
# Allow access to public tooltool artifacts
- docker-worker:relengapi-proxy:tooltool.download.public
- project:releng:services/tooltool/api/download/public
# Allow a sensible scheduler-id
- queue:scheduler-id:mozillaonline-*
# Allows cancelling tasks with that scheduler-id
- queue:cancel-task:mozillaonline-*
# Allow reruning tasks with that scheduler-id
- queue:rerun-task:mozillaonline-*
to:
- groups:
- mozillaonline
- grant:
# Grant cloudops the ability to manage product-details secrets (Bug 1527571)
- secrets:get:repo:github.com/mozilla-releng/product-details*
- secrets:set:repo:github.com/mozilla-releng/product-details*
to:
- groups:
- cloudops
- grant:
# Grant mobile the ability to manually start release automation
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/api-docs-update
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/nightly
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-android-components/suffixlist-update
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-reference-browser/bump-android-comp
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-reference-browser/nightly
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-firefox-ios/l10-screenshots
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-focus-ios/l10-screenshots
- hooks:trigger-hook:project-releng/cron-task-mozilla-mobile-focus-android/nightly-public
- queue:rerun-task:mobile-level-*
to:
- groups:
- mobile_releases
- mobile_eng_ops
- grant:
# Grant security team access to secrets and artifacts for civet
- secrets:get:project/civet/github-deploy-key
- secrets:set:project/civet/github-deploy-key
- queue:get-artifact:project/civet/*
to:
- groups:
- civet-sec-inf
- grant:
# Grant security team access to secrets and artifacts for updatebot
- secrets:get:project/updatebot/*
- secrets:set:project/updatebot/*
- queue:get-artifact:project/updatebot/*
to:
- groups:
- updatebot-sec-inf
- grant:
# Grant mobile the ability to see and modify their secrets
- secrets:get:project/mobile/*
- secrets:set:project/mobile/*
to:
- groups:
- mobile_releases
- mobile_eng_ops
# Code Coverage runtime roles
# Project https://github.com/mozilla/code-coverage
# The Heroku apps can:
# - trigger the code coverage repo hook
# - read their configuration in secrets
# - send report emails to admins
- grant:
- notify:email:*
to:
- roles:
- project:relman:code-coverage/runtime/testing
- project:relman:code-coverage/runtime/production
- grant:
- hooks:trigger-hook:project-relman/code-coverage-repo-testing
- secrets:get:project/relman/code-coverage/runtime-testing
to:
- roles:
- project:relman:code-coverage/runtime/testing
- grant:
- hooks:trigger-hook:project-relman/code-coverage-repo-production
- secrets:get:project/relman/code-coverage/runtime-production
to:
- roles:
- project:relman:code-coverage/runtime/production
- grant:
- hooks:trigger-hook:project-relman/code-coverage-repo-testing
- hooks:trigger-hook:project-relman/code-coverage-cron-testing
- hooks:trigger-hook:project-relman/code-coverage-cron-production
- hooks:trigger-hook:project-relman/code-coverage-repo-production
- hooks:trigger-hook:project-relman/code-coverage-crontrigger-testing
- hooks:trigger-hook:project-relman/code-coverage-crontrigger-production
- secrets:get:project/relman/code-coverage/*
- secrets:set:project/relman/code-coverage/*
- queue:create-task:lowest:code-coverage/bot
to:
- roles:
- mozillians-group:code-coverage-developers
# Bugzilla dashboard runtime roles
- grant:
- hooks:trigger-hook:project-relman/bugzilla-dashboard-backend-testing
- hooks:trigger-hook:project-relman/bugzilla-dashboard-backend-production
- secrets:get:project/relman/bugzilla-dashboard/*
- secrets:set:project/relman/bugzilla-dashboard/*
to:
- roles:
- mozillians-group:bugzilla-dashboard-developers
# Grant access to Bugzilla dashboard's specific private artifacts such as
# `product_component_data.json` to all Mozilla employees
# Also grand access to the org payload as a secret
- grant:
- queue:get-artifact:project/relman/bugzilla-dashboard/*
- secrets:get:project/relman/bugzilla-dashboard/org
to:
- groups:
- team_moco
# Bug 1607198 - grant access to coverity project. For now we start with one
# developer but should we ever need more, we can create a Mozillians group
- grant:
- secrets:set:project/relman/coverity
- secrets:set:project/relman/coverity-nss
to:
- group:
- code-review-developers
# Bug 1534463: allow `vpn_hg_admin` group to access Mercurial related secrets
- grant:
- secrets:set:project/taskcluster/gecko/hgfingerprint
- secrets:set:project/taskcluster/gecko/hgmointernal
- secrets:get:project/taskcluster/gecko/hgfingerprint
- secrets:get:project/taskcluster/gecko/hgmointernal
to:
- groups:
- vpn_hg_admin
# Code Analysis CI
- grant:
# Allow code-review developers to create tasks directly
- assume:repo:github.com/mozilla/code-review:pull-request
# Allow code-review developers to trigger their hooks
- hooks:trigger-hook:project-relman/code-review-*
to:
- group:
- code-review-developers
# Code Review runtime roles
# Project https://github.com/mozilla/code-review
# The Heroku apps can:
# - read their configuration in secrets
# - send report emails to admins
# - trigger the bot hook
- grant:
- notify:email:*
- hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*
to:
- roles:
- project:relman:code-review/runtime/testing
- project:relman:code-review/runtime/production
- grant:
- secrets:get:project/relman/code-review/runtime-testing
- hooks:trigger-hook:project-relman/code-review-testing
to:
- roles:
- project:relman:code-review/runtime/testing
- grant:
- secrets:get:project/relman/code-review/runtime-production
- hooks:trigger-hook:project-relman/code-review-production
to:
- roles:
- project:relman:code-review/runtime/production
- grant:
- secrets:get:project/relman/code-review/*
- secrets:set:project/relman/code-review/*
- queue:create-task:lowest:code-review/bot
to:
- group:
- code-review-developers
- grant:
# Grant taskcluster team permission to reset access tokens for nss workers
- auth:reset-access-token:project/nss-nspr/*
to:
- group:
- team_taskcluster
# Non-Moco Sheriffs-basic
# contributors in the Sheriffs group that need:
# * retriggering and rerunning tasks on production trees
# * dashboard showing CI automation tasks waiting for getting a machine
- grant:
- queue:rerun-task:gecko-level-*
to:
- group:
- non-moco-sheriffs-basic
# Glean team should be able to rerun tasks for the Glean releases powered by TC
- grant:
- hooks:trigger-hook:project-glean/in-tree-action-1-generic/*
- hooks:trigger-hook:project-glean/in-tree-action-3-generic/*
to:
- group:
- glean_team
# Bug 1604686: Token for gfx github sync, ability to set and get
- grant:
- secrets:get:project/webrender-ci/wrupdater-github-token
- secrets:set:project/webrender-ci/wrupdater-github-token
- secrets:get:gecko/gfx-github-sync/token
- secrets:set:gecko/gfx-github-sync/token
to:
- roles:
- mozillians-group:webrender-ci
# Mappings from `mozilla-group`s to `project-releng:ci-group`s
# This indirection exists because modifying `mozilla-group`s requires
# access to the root credentials.
- grant:
- assume:project:releng:ci-group:civet-sec-inf
to:
- roles:
- mozillians-group:civet-sec-inf
- grant:
- assume:project:releng:ci-group:updatebot-sec-inf
to:
- roles:
- mozillians-group:updatebot-sec-inf
- grant:
- assume:project:releng:ci-group:code-review-developers
to:
- roles:
- mozillians-group:code-review-developers
- grant:
- assume:project:releng:ci-group:mobile_releases
to:
- roles:
- mozilla-group:mobile_releases
- grant:
- assume:project:releng:ci-group:mobile_eng_ops
to:
- roles:
- mozilla-group:mobile_eng_ops
- grant:
- assume:project:releng:ci-group:mobile_test_ops
to:
- roles:
- mozilla-group:mobile_test_ops
- grant:
- assume:project:releng:ci-group:glean_team
to:
- roles:
- mozillians-group:glean_team
- grant:
- assume:project:releng:ci-group:team_moco
to:
- roles:
- mozilla-group:team_moco
- grant:
- assume:project:releng:ci-group:sheriff
to:
- roles:
- mozilla-group:sheriff
- grant:
- assume:project:releng:ci-group:perf_sheriff
to:
- roles:
- mozilla-group:perf_sheriff
- grant:
- assume:project:releng:ci-group:non-moco-sheriffs-basic
to:
- roles:
- mozillians-group:non-moco-sheriffs-basic
- grant:
- assume:project:releng:ci-group:team_taskcluster
to:
- roles:
- mozilla-group:team_taskcluster
- grant:
- assume:project:releng:ci-group:fxci_tc_admins
to:
- roles:
- mozilla-group:fxci_tc_admins
- grant:
- assume:project:releng:ci-group:team_services_ops
to:
- roles:
- mozilla-group:team_services_ops
- grant:
- assume:project:releng:ci-group:tooltooleditor-public
to:
- roles:
- mozilla-group:tooltooleditor-public
- grant:
- assume:project:releng:ci-group:tooltooleditor-internal
to:
- roles:
- mozilla-group:tooltooleditor-internal
- grant:
- assume:project:releng:ci-group:mozillaonline
to:
- roles:
- mozillians-group:fennec-china-build
- grant:
- assume:project:releng:ci-group:vpn_hg_admin
to:
- roles:
- mozilla-group:vpn_hg_admin
- grant:
- assume:project:releng:ci-group:thunderbird-sheriff
to:
- roles:
# Geoff Lankow (https://bugzilla.mozilla.org/show_bug.cgi?id=1520433)
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|geoff
# Magnus Melin (https://bugzilla.mozilla.org/show_bug.cgi?id=1605714)
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|mkmelin
# Patrick Cloke (https://bugzilla.mozilla.org/show_bug.cgi?id=1595942)
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|clokep
# Ian Neal (https://bugzilla.mozilla.org/show_bug.cgi?id=1595942)
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|iann_cvs
- grant:
- assume:project:releng:ci-group:thunderbird-releng
to:
- roles:
# Rob Lemley [:rjl] (https://bugzilla.mozilla.org/show_bug.cgi?id=1496783)
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|thunderbird
- grant:
- assume:project:releng:ci-group:team_mozillaonline
to:
- roles:
- mozilla-group:team_mozillaonline
- grant:
- assume:project:releng:ci-group:engworkflow
to:
- roles:
- mozillians-group:engworkflow
- grant:
- assume:project:releng:ci-group:shipit_firefox
to:
- roles:
- mozilla-group:shipit_firefox
# https://bugzilla.mozilla.org/show_bug.cgi?id=1659596
- grant:
- hooks:trigger-hook:project-mobile/in-tree-action-1-generic/*
- hooks:trigger-hook:project-mobile/in-tree-action-3-generic/*
to:
- roles:
- mozillians-group:android-components-developers
- grant:
- assume:project:releng:ci-group:perftest
to:
- roles:
- mozilla-group:perftest
# The 'anonymous' role defines scopes that are allowed for *any* API call; on other
# words, these define public access.
- grant:
- auth:current-scopes
- auth:expand-scopes
- auth:get-client:*
- auth:get-role:*
- auth:list-clients
- auth:list-roles
- github:get-badge:*
- github:get-repository:*
- github:latest-status:*
- github:list-builds
- hooks:get:*
- hooks:list-hooks:*
- hooks:list-last-fires:*
- hooks:status:*
- index:find-task:*
- index:list-namespaces:*
- index:list-tasks:*
- purge-cache:all-purge-requests
- purge-cache:purge-requests:*
- queue:create-task:project:none
- queue:get-artifact:public/*
- queue:get-provisioner:*
- queue:get-task:*
- queue:get-worker-type:*
- queue:get-worker:*
- queue:list-artifacts:*
- queue:list-dependent-tasks:*
- queue:list-provisioners
- queue:list-task-group:*
- queue:list-worker-types:*
- queue:list-workers:*
- queue:pending-count:*
- queue:status:*
- secrets:list-secrets
- worker-manager:get-worker-pool:*
- worker-manager:get-worker:*
- worker-manager:list-providers
- worker-manager:list-worker-pool-errors:*
- worker-manager:list-worker-pools
- worker-manager:list-workers:*
to:
- roles:
- anonymous
# These grants are directly to the mozilla-group roles as they need
# are the root of available scopes.
- grant:
- assume:github-admin:*
- assume:hook-id:*
- assume:login-identity:*
- assume:moz-tree:*
- assume:mozillians-group:*
- assume:mozillians-user:*
- assume:project-admin:*
- assume:project:*
- assume:repo:*
- assume:worker-pool:*
- assume:worker-type:*
- auth:*
- docker-worker:*
- generic-worker:*
- github:*
- hooks:*
- in-tree:*
- index:*
- notify:*
- project:*
- purge-cache:*
- queue:*
- scheduler:*
- secrets:*
- worker-manager:*
- worker:*
to:
- roles:
- mozilla-group:team_relops
- mozilla-group:releng
- mozilla-group:fxci_tc_admins
- grant:
- assume:github-admin:*
- assume:hook-id:*
- assume:login-identity:*
- assume:moz-tree:*
- assume:mozillians-group:*
- assume:mozillians-user:*
- assume:project-admin:*
- assume:project:*
- assume:repo:*
- assume:worker-pool:*
- assume:worker-type:*
- auth:*
- docker-worker:*
- generic-worker:*
- github:*
- hooks:*
- in-tree:*
- index:*
- notify:*
- project:*
- purge-cache:*
- queue:*
- scheduler:*
- secrets:*
- worker-manager:*
- worker:*
to:
- roles:
- mozilla-group:team_taskcluster
environments: staging
# docker-worker AMI related: create tasks for every pool to see versions
- grant:
- queue:create-task:low:*
to:
- roles:
- mozilla-group:team_taskcluster
# Bug 1672397: Scopes to use Taskcluster notify service
- grant:
- notify:email:perftest-alerts@mozilla.com
- notify:email:dhunt@mozilla.com
- notify:email:beatrice.acasandrei@softvision.com
to:
- roles:
# Beatrice Acasandrei - Softvision Sheriff contributor
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|bacasandrei
- grant:
- generic-worker:allow-rdp:gecko-t/t-win*
to:
- roles:
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|mhentges
# Bug 1715817: Scopes to manage Azure images and workers
- grant:
- worker-manager:manage-worker-pool:gecko-t/win10-64-2004*
- worker-manager:provider:azure2
- worker-manager:provider:null-provider
- generic-worker:allow-rdp:gecko-t/win10-64-2004*
- worker-manager:remove-worker:gecko-t/win10-64-2004*
to:
- roles:
- login-identity:mozilla-auth0/ad|Mozilla-LDAP|michelle2
# Bug 1738050: secret scopes to perftest
- grant:
- secrets:set:project/perftest/*
- secrets:get:project/perftest/*
to:
- roles:
- mozilla-group:perftest
