Bug 1534463: give tasks access to `hgmointernal` Taskcluster secret r=tomprince
authorConnor Sheehan <sheehan@mozilla.com>
Wed, 27 Mar 2019 18:47:21 +0000
changeset 469042 a498ba7a09923f330946451283cb149037183904
parent 469041 eda5854cd7e880b43d0e89f38d581c9314216137
child 469043 3595f2b4875f91c5267186a32b983d82aa9b0881
push id35856
push usercsabou@mozilla.com
push dateFri, 12 Apr 2019 03:19:48 +0000
treeherdermozilla-central@940684cd1065 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstomprince
bugs1534463
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1534463: give tasks access to `hgmointernal` Taskcluster secret r=tomprince Now that we have added the necessary scopes to `ci-configuration`, we can add the in-tree scopes to give tasks access to the `hgmointernal` config Taskcluster secret. Differential Revision: https://phabricator.services.mozilla.com/D25001
taskcluster/taskgraph/actions/create_interactive.py
taskcluster/taskgraph/transforms/docker_image.py
taskcluster/taskgraph/transforms/job/common.py
--- a/taskcluster/taskgraph/actions/create_interactive.py
+++ b/taskcluster/taskgraph/actions/create_interactive.py
@@ -45,18 +45,18 @@ task. You may need to wait for it to beg
 # their own level.
 #
 # Interactive tasks must not have any routes that might make them appear
 # in the index to be used by other production tasks.
 #
 # Interactive tasks should not be able to write to any docker-worker caches.
 
 SCOPE_WHITELIST = [
-    # this is not actually secret, and just about everything needs it
-    re.compile(r'^secrets:get:project/taskcluster/gecko/hgfingerprint$'),
+    # these are not actually secrets, and just about everything needs them
+    re.compile(r'^secrets:get:project/taskcluster/gecko/(hgfingerprint|hgmointernal)$'),
     # public downloads are OK
     re.compile(r'^docker-worker:relengapi-proxy:tooltool.download.public$'),
     # level-appropriate secrets are generally necessary to run a task; these
     # also are "not that secret" - most of them are built into the resulting
     # binary and could be extracted by someone with `strings`.
     re.compile(r'^secrets:get:project/releng/gecko/build/level-[0-9]/\*'),
     # ptracing is generally useful for interactive tasks, too!
     re.compile(r'^docker-worker:feature:allowPtrace$'),
--- a/taskcluster/taskgraph/transforms/docker_image.py
+++ b/taskcluster/taskgraph/transforms/docker_image.py
@@ -146,17 +146,20 @@ def fill_template(config, tasks):
 
         # include some information that is useful in reconstructing this task
         # from JSON
         taskdesc = {
             'label': 'build-docker-image-' + image_name,
             'description': description,
             'attributes': {'image_name': image_name},
             'expires-after': '28 days' if config.params.is_try() else '1 year',
-            'scopes': ['secrets:get:project/taskcluster/gecko/hgfingerprint'],
+            'scopes': [
+                'secrets:get:project/taskcluster/gecko/hgfingerprint',
+                'secrets:get:project/taskcluster/gecko/hgmointernal',
+            ],
             'treeherder': {
                 'symbol': job_symbol,
                 'platform': 'taskcluster-images/opt',
                 'kind': 'other',
                 'tier': 1,
             },
             'run-on-projects': [],
             'worker-type': 'aws-provisioner-v1/gecko-{}-images'.format(
--- a/taskcluster/taskgraph/transforms/job/common.py
+++ b/taskcluster/taskgraph/transforms/job/common.py
@@ -144,16 +144,17 @@ def support_vcs_checkout(config, job, ta
             'COMM_HEAD_REV': config.params['comm_head_rev'],
         })
     elif job['run'].get('comm-checkout', False):
         raise Exception("Can't checkout from comm-* repository if not given a repository.")
 
     # Give task access to hgfingerprint secret so it can pin the certificate
     # for hg.mozilla.org.
     taskdesc['scopes'].append('secrets:get:project/taskcluster/gecko/hgfingerprint')
+    taskdesc['scopes'].append('secrets:get:project/taskcluster/gecko/hgmointernal')
 
     # only some worker platforms have taskcluster-proxy enabled
     if job['worker']['implementation'] in ('docker-worker',):
         taskdesc['worker']['taskcluster-proxy'] = True
 
 
 def generic_worker_hg_commands(base_repo, head_repo, head_rev, path,
                                sparse_profile=None):