Bug 1324413 - Lock image content hash for decision task; r=dustin
authorJonas Finnemann Jensen <jopsen@gmail.com>
Thu, 15 Dec 2016 17:16:14 -0800
changeset 326546 4bd7d95379f640887531f12ecacec9c137c39ac0
parent 326545 cf1a77997e44ff7aa0fcdc18f4a0e687a926f02c
child 326547 b47c66fceb4418f17305352bbed2d4c2e4015fb5
push id84987
push userkwierso@gmail.com
push dateTue, 20 Dec 2016 19:48:07 +0000
treeherdermozilla-inbound@bc8c475f7e0a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin
bugs1324413
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1324413 - Lock image content hash for decision task; r=dustin This will make harder to falsify a decision task. Notably our validation code only needs to verify that the definition of the decision task as given here matches what is used in the task definition in the Chain-Of-Trust artifact, in order to prove that the decision task is a result of what ran in the tree. MozReview-Commit-ID: 4SRO7G1nyyL
.taskcluster.yml
--- a/.taskcluster.yml
+++ b/.taskcluster.yml
@@ -80,18 +80,18 @@ tasks:
         cache:
           level-{{level}}-checkouts: /home/worker/checkouts
 
         features:
           taskclusterProxy: true
           chainOfTrust: true
 
         # Note: This task is built server side without the context or tooling that
-        # exist in tree so we must hard code the version
-        image: 'taskcluster/decision:0.1.7'
+        # exist in tree so we must hard code the hash
+        image: 'taskcluster/decision@sha256:0f59f922d86c471e208b7ea08ab077fc68c3920ed5e6895d69a23e8f3457dc24'
 
         maxRunTime: 1800
 
         # TODO use mozilla-unified for the base repository once the tc-vcs
         # tar.gz archives are created or tc-vcs isn't being used.
         command:
           - /home/worker/bin/run-task
           - '--vcs-checkout=/home/worker/checkouts/gecko'