Bug 1613281 - Port bug 1562412: multi-step macOS signing and notarization. r=darktrojan
authorRob Lemley <rob@thunderbird.net>
Wed, 26 Feb 2020 13:03:57 +0200
changeset 28853 0498fb268e27f56d3d67b7cef3e6eae54a2f63d5
parent 28852 b8fd942d5dccc7b135e65204238aa43a3d551877
child 28854 f666055d952578464a012089ff80287153f87b10
push id17073
push usermkmelin@iki.fi
push dateWed, 26 Feb 2020 11:05:00 +0000
treeherdercomm-central@0498fb268e27 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdarktrojan
bugs1613281, 1562412
Bug 1613281 - Port bug 1562412: multi-step macOS signing and notarization. r=darktrojan Port of the work being done in bug 1562412.
taskcluster/ci/build-notarization-part-1/kind.yml
taskcluster/ci/build-notarization-poller/kind.yml
taskcluster/ci/build-signing/kind.yml
taskcluster/ci/config.yml
taskcluster/ci/shippable-l10n-notarization-part-1/kind.yml
taskcluster/ci/shippable-l10n-notarization-poller/kind.yml
taskcluster/ci/shippable-l10n-signing/kind.yml
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/build-notarization-part-1/kind.yml
@@ -0,0 +1,27 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+    - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.build_signing:transforms
+    - taskgraph.transforms.signing:transforms
+    - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build
+
+only-for-attributes:
+    - shippable
+    - nightly
+
+only-for-build-platforms:
+    - macosx64-shippable/opt
+    - macosx64-nightly/opt
+
+job-template:
+    treeherder:
+        symbol: BN
+    enable-signing-routes: false
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/build-notarization-poller/kind.yml
@@ -0,0 +1,19 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+    - taskgraph.transforms.mac_notarization_poller:transforms
+    - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build-notarization-part-1
+
+job-template:
+    treeherder:
+        symbol: BN-poll
+    description-suffix: 'Mac Notarization Poller'
+    worker:
+        implementation: notarization-poller
--- a/taskcluster/ci/build-signing/kind.yml
+++ b/taskcluster/ci/build-signing/kind.yml
@@ -1,20 +1,28 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ---
-loader: taskgraph.loader.single_dep:loader
+loader: taskgraph.loader.multi_dep:loader
+
+group-by: platform
 
 transforms:
     - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.upstream_artifact_task:transforms
     - taskgraph.transforms.build_signing:transforms
     - taskgraph.transforms.signing:transforms
     - taskgraph.transforms.task:transforms
     - comm_taskgraph.transforms.signing:transforms
 
 kind-dependencies:
     - build
+    - build-notarization-part-1
+    - build-notarization-poller
+
+primary-dependency:
+    - build
 
 only-for-attributes:
     - nightly
     - shippable
     - enable-build-signing
--- a/taskcluster/ci/config.yml
+++ b/taskcluster/ci/config.yml
@@ -135,22 +135,27 @@ workers:
             implementation: scriptworker-signing
             os: linux
             worker-type:
                 by-release-level:
                     production: comm-3-signing
                     staging: comm-t-signing
         mac-depsigning:
             provisioner: scriptworker-prov-v1
-            implementation: scriptworker-iscript
+            implementation: scriptworker-signing
             os: macosx
             worker-type: tb-depsigning-mac-v1
+        mac-notarization-poller:
+            provisioner: scriptworker-prov-v1
+            implementation: notarization-poller
+            os: macosx
+            worker-type: tb-mac-notarization-poller
         mac-signing:
             provisioner: scriptworker-prov-v1
-            implementation: scriptworker-iscript
+            implementation: scriptworker-signing
             os: macosx
             worker-type:
                 by-release-level:
                     production: tb-signing-mac-v1
                     staging: tb-depsigning-mac-v1
         tree:
             provisioner: scriptworker-k8s
             implementation: treescript
@@ -187,20 +192,18 @@ workers:
         misc:
             provisioner: comm-t
             implementation: docker-worker
             os: linux
             worker-type: misc
 
 mac-notarization:
     mac-behavior:
-        by-release-type:
-            nightly.*: mac_notarize
-            beta.*: mac_notarize
-            release.*: mac_notarize
+        by-project:
+            comm-(central|beta|esr.*): mac_notarize
             default: mac_sign_and_pkg
     mac-entitlements:
         by-platform:
             macosx64.*:
                 by-release-level:
                     production: comm/build/macosx/hardenedruntime/production.entitlements.xml
                     default: comm/build/macosx/hardenedruntime/developer.entitlements.xml
             default: ''
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/shippable-l10n-notarization-part-1/kind.yml
@@ -0,0 +1,27 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.multi_dep:loader
+
+group-by: chunk-locales
+
+transforms:
+    - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.shippable_l10n_signing:transforms
+    - taskgraph.transforms.signing:transforms
+    - taskgraph.transforms.task:transforms
+    - comm_taskgraph.transforms.signing:transforms
+
+kind-dependencies:
+    - shippable-l10n
+
+only-for-build-platforms:
+    - macosx64-shippable/opt
+    - macosx64-nightly/opt
+
+job-template:
+    treeherder:
+        symbol: BN
+    attributes:
+        shipping_phase: promote
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/shippable-l10n-notarization-poller/kind.yml
@@ -0,0 +1,19 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+    - taskgraph.transforms.mac_notarization_poller:transforms
+    - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - shippable-l10n-notarization-part-1
+
+job-template:
+    description-suffix: 'Mac Notarization Poller'
+    worker:
+        implementation: notarization-poller
+    attributes:
+        shipping_phase: promote
--- a/taskcluster/ci/shippable-l10n-signing/kind.yml
+++ b/taskcluster/ci/shippable-l10n-signing/kind.yml
@@ -1,19 +1,27 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ---
-loader: taskgraph.loader.single_dep:loader
+loader: taskgraph.loader.multi_dep:loader
+
+group-by: chunk-locales
 
 transforms:
     - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.upstream_artifact_task:transforms
     - taskgraph.transforms.shippable_l10n_signing:transforms
     - taskgraph.transforms.signing:transforms
     - taskgraph.transforms.task:transforms
     - comm_taskgraph.transforms.signing:transforms
 
 kind-dependencies:
     - shippable-l10n
+    - shippable-l10n-notarization-part-1
+    - shippable-l10n-notarization-poller
+
+primary-dependency:
+    - shippable-l10n
 
 only-for-attributes:
     - nightly
     - shippable