Bug 1274350 - Rewrite decision task generation to handle multiple platforms better r=me
authorTim Taubert <ttaubert@mozilla.com>
Thu, 02 Jun 2016 15:56:59 +0200
changeset 12235 79869bf0a32fc5121c2e2c594a6fdb14d1910c24
parent 12234 bd5fa88a8d4a525f7935fadbaa891eb9f40ae556
child 12236 917d14698a8a888d1d0d8bf8087c1cc56bfd8dca
push id1285
push userttaubert@mozilla.com
push dateThu, 02 Jun 2016 13:59:57 +0000
reviewersme
bugs1274350
Bug 1274350 - Rewrite decision task generation to handle multiple platforms better r=me
.taskcluster.yml
automation/taskcluster/graph/build.js
automation/taskcluster/graph/builds/clang-format.yml
automation/taskcluster/graph/builds/linux32-debug.yml
automation/taskcluster/graph/builds/linux32-opt.yml
automation/taskcluster/graph/builds/linux64-asan.yml
automation/taskcluster/graph/builds/linux64-debug.yml
automation/taskcluster/graph/builds/linux64-memleak.yml
automation/taskcluster/graph/builds/linux64-opt.yml
automation/taskcluster/graph/builds/win2012x64-debug.yml
automation/taskcluster/graph/builds/win2012x64-opt.yml
automation/taskcluster/graph/linux/_build_base.yml
automation/taskcluster/graph/linux/_test_base.yml
automation/taskcluster/graph/linux/build32-debug.yml
automation/taskcluster/graph/linux/build32-opt.yml
automation/taskcluster/graph/linux/build64-asan.yml
automation/taskcluster/graph/linux/build64-debug.yml
automation/taskcluster/graph/linux/build64-memleak.yml
automation/taskcluster/graph/linux/build64-opt.yml
automation/taskcluster/graph/tasks/cert.yml
automation/taskcluster/graph/tasks/chains.yml
automation/taskcluster/graph/tasks/cipher-win.yml
automation/taskcluster/graph/tasks/cipher.yml
automation/taskcluster/graph/tasks/crmf.yml
automation/taskcluster/graph/tasks/db.yml
automation/taskcluster/graph/tasks/ec-win.yml
automation/taskcluster/graph/tasks/ec.yml
automation/taskcluster/graph/tasks/fips.yml
automation/taskcluster/graph/tasks/gtests-win.yml
automation/taskcluster/graph/tasks/gtests.yml
automation/taskcluster/graph/tasks/lowhash.yml
automation/taskcluster/graph/tasks/memleak.yml
automation/taskcluster/graph/tasks/merge.yml
automation/taskcluster/graph/tasks/ocsp-win.yml
automation/taskcluster/graph/tasks/ocsp.yml
automation/taskcluster/graph/tasks/pkits.yml
automation/taskcluster/graph/tasks/pkix-win.yml
automation/taskcluster/graph/tasks/pkix.yml
automation/taskcluster/graph/tasks/sdr-win.yml
automation/taskcluster/graph/tasks/sdr.yml
automation/taskcluster/graph/tasks/smime.yml
automation/taskcluster/graph/tasks/ssl.yml
automation/taskcluster/graph/tasks/ssl_cycles.yml
automation/taskcluster/graph/tasks/tools.yml
automation/taskcluster/graph/tests/cert.yml
automation/taskcluster/graph/tests/chains.yml
automation/taskcluster/graph/tests/cipher.yml
automation/taskcluster/graph/tests/crmf.yml
automation/taskcluster/graph/tests/db.yml
automation/taskcluster/graph/tests/ec.yml
automation/taskcluster/graph/tests/fips.yml
automation/taskcluster/graph/tests/gtests.yml
automation/taskcluster/graph/tests/lowhash.yml
automation/taskcluster/graph/tests/memleak.yml
automation/taskcluster/graph/tests/merge.yml
automation/taskcluster/graph/tests/ocsp.yml
automation/taskcluster/graph/tests/pkits.yml
automation/taskcluster/graph/tests/pkix.yml
automation/taskcluster/graph/tests/sdr.yml
automation/taskcluster/graph/tests/smime.yml
automation/taskcluster/graph/tests/ssl.yml
automation/taskcluster/graph/tests/tools.yml
automation/taskcluster/graph/tools/clang-format.yml
automation/taskcluster/graph/windows/_build_base.yml
automation/taskcluster/graph/windows/_test_base.yml
automation/taskcluster/graph/windows/build64-debug.yml
automation/taskcluster/graph/windows/build64-opt.yml
--- a/.taskcluster.yml
+++ b/.taskcluster.yml
@@ -66,25 +66,19 @@ tasks:
       payload:
         image: "ttaubert/nss-ci:0.0.16"
 
         env:
           TC_OWNER: {{owner}}
           TC_SOURCE: {{{source}}}
           TC_REVISION: '{{revision}}'
           TC_REVISION_HASH: '{{revision_hash}}'
-          TC_DOCKER_IMAGE: "ttaubert/nss-ci:0.0.16"
-          TC_PROVISIONER_ID: "aws-provisioner-v1"
-          TC_WORKER_TYPE: "hg-worker"
           NSS_HEAD_REPOSITORY: '{{{url}}}'
           NSS_HEAD_REVISION: '{{revision}}'
 
-        features:
-          taskclusterProxy: true
-
         maxRunTime: 1800
 
         command:
           - bash
           - -cx
           - >
             bin/checkout.sh &&
             nss/automation/taskcluster/scripts/extend_task_graph.sh
--- a/automation/taskcluster/graph/build.js
+++ b/automation/taskcluster/graph/build.js
@@ -4,184 +4,162 @@
 
 var fs = require("fs");
 var path = require("path");
 var merge = require("merge");
 var yaml = require("js-yaml");
 var slugid = require("slugid");
 var flatmap = require("flatmap");
 
-var TC_WORKER_TYPE = process.env.TC_WORKER_TYPE || "hg-worker";
-var TC_PROVISIONER_ID = process.env.TC_PROVISIONER_ID || "aws-provisioner-v1";
-
 // Default values for debugging.
 var TC_REVISION = process.env.TC_REVISION || "{{tc_rev}}";
 var TC_REVISION_HASH = process.env.TC_REVISION_HASH || "{{tc_rev_hash}}";
-var TC_DOCKER_IMAGE = process.env.TC_DOCKER_IMAGE || "{{tc_docker_img}}";
 var TC_OWNER = process.env.TC_OWNER || "{{tc_owner}}";
 var TC_SOURCE = process.env.TC_SOURCE || "{{tc_source}}";
 var NSS_HEAD_REPOSITORY = process.env.NSS_HEAD_REPOSITORY || "{{nss_head_repo}}";
 var NSS_HEAD_REVISION = process.env.NSS_HEAD_REVISION || "{{nss_head_rev}}";
 
-// Point in time at $now + x hours.
-function from_now(hours) {
-  var d = new Date();
-  d.setHours(d.getHours() + (hours || 0));
-  return d.toJSON();
-}
-
 // Register custom YAML types.
 var YAML_SCHEMA = yaml.Schema.create([
+  // Point in time at $now + x hours.
   new yaml.Type('!from_now', {
     kind: "scalar",
 
     resolve: function (data) {
       return true;
     },
 
     construct: function (data) {
-      return from_now(data|0);
+      var d = new Date();
+      d.setHours(d.getHours() + (data|0));
+      return d.toJSON();
+    }
+  }),
+
+  // Environment variables.
+  new yaml.Type('!env', {
+    kind: "scalar",
+
+    resolve: function (data) {
+      return true;
+    },
+
+    construct: function (data) {
+      return process.env[data];
     }
   })
 ]);
 
-// Parse a directory containing YAML files.
-function parseDirectory(dir) {
-  var tasks = {};
+// Parse a given YAML file.
+function parseYamlFile(file, fallback) {
+  // Return fallback if the file doesn't exist.
+  if (!fs.existsSync(file) && fallback) {
+    return fallback;
+  }
+
+  // Otherwise, read the file or fail.
+  var source = fs.readFileSync(file, "utf-8");
+  return yaml.load(source, {schema: YAML_SCHEMA});
+}
+
+// Generate all tasks for a given build.
+function generateBuildTasks(platform, file) {
+  var dir = path.join(__dirname, "./" + platform);
+
+  // Parse base definitions.
+  var buildBase = parseYamlFile(path.join(dir, "_build_base.yml"), {});
+  var testBase = parseYamlFile(path.join(dir, "_test_base.yml"), {});
+
+  return flatmap(parseYamlFile(path.join(dir, file)), function (task) {
+    // Merge base build task definition with the current one.
+    var tasks = [task = merge.recursive(true, buildBase, task)];
+
+    // Assign random task id.
+    task.taskId = slugid.v4();
 
-  fs.readdirSync(dir).forEach(function (file) {
-    if (file.endsWith(".yml")) {
-      var source = fs.readFileSync(path.join(dir, file), "utf-8");
-      tasks[file.slice(0, -4)] = yaml.load(source, {schema: YAML_SCHEMA});
+    // Generate test tasks.
+    if (task.tests) {
+      // The base definition for all tests of this platform.
+      var base = merge.recursive(true, {
+        requires: [task.taskId],
+
+        task: {
+          payload: {
+            env: {
+              TC_PARENT_TASK_ID: task.taskId
+            }
+          }
+        }
+      }, testBase);
+
+      // Generate and append test task definitions.
+      tasks = tasks.concat(flatmap(task.tests, function (name) {
+        return generateTestTasks(name, base, task);
+      }));
+
+      // |tests| is not part of the schema.
+      delete task.tests;
     }
+
+    return tasks;
   });
-
-  return tasks;
 }
 
-// Generates a task using a given definition.
-function generateTasks(definition) {
-  var task = {
-    taskId: slugid.v4(),
-    reruns: 2,
-
-    task: task = {
-      created: from_now(0),
-      deadline: from_now(24),
-      provisionerId: TC_PROVISIONER_ID,
-      workerType: TC_WORKER_TYPE,
-      schedulerId: "task-graph-scheduler",
-
-      scopes: [
-        "queue:route:tc-treeherder-stage.nss." + TC_REVISION_HASH,
-        "queue:route:tc-treeherder.nss." + TC_REVISION_HASH,
-        "scheduler:extend-task-graph:*"
-      ],
-
-      routes: [
-        "tc-treeherder-stage.nss." + TC_REVISION_HASH,
-        "tc-treeherder.nss." + TC_REVISION_HASH
-      ],
+// Generate all tasks for a given test.
+function generateTestTasks(name, base, task) {
+  // Load test definitions.
+  var dir = path.join(__dirname, "./tests");
+  var tests = parseYamlFile(path.join(dir, name + ".yml"));
 
-      metadata: {
-        owner: TC_OWNER,
-        source: TC_SOURCE
-      },
-
-      payload: {
-        image: TC_DOCKER_IMAGE,
-        maxRunTime: 3600,
+  return tests.map(function (test) {
+    // Merge test with base definition.
+    test = merge.recursive(true, base, test);
 
-        env: {
-          NSS_HEAD_REPOSITORY: NSS_HEAD_REPOSITORY,
-          NSS_HEAD_REVISION: NSS_HEAD_REVISION
-        }
-      },
-
-      extra: {
-        treeherder: {
-          revision: TC_REVISION,
-          revision_hash: TC_REVISION_HASH
-        }
-      }
-    }
-  };
-
-  // Merge base task definition with the YAML one.
-  var tasks = [task = merge.recursive(true, task, definition)];
+    // Assign random task id.
+    test.taskId = slugid.v4();
 
-  // Generate dependent tasks.
-  if (task.dependents) {
-    // The base definition for all subtasks.
-    var base = {
-      requires: [task.taskId],
-
-      task: {
-        payload: {
-          env: {
-            TC_PARENT_TASK_ID: task.taskId
-          }
-        }
-      }
-    };
-
-    // We clone everything but the taskId, we need a new and unique one.
-    delete base.taskId;
-
-    // Iterate and generate all subtasks.
-    var subtasks = flatmap(task.dependents, function (name) {
-      if (!(name in TASKS)) {
-        throw new Error("Can't find task '" + name + "'");
-      }
-
-      return flatmap(TASKS[name], function (subtask) {
-        // Merge subtask with base definition.
-        var dependent = merge.recursive(true, subtask, base);
+    // We only want to carry over environment variables...
+    test.task.payload.env =
+      merge.recursive(true, task.task.payload.env,
+                            test.task.payload.env);
 
-        // We only want to carry over environment variables and
-        // TreeHerder configuration data.
-        dependent.task.payload.env =
-          merge.recursive(true, task.task.payload.env,
-                                dependent.task.payload.env);
-        dependent.task.extra.treeherder =
-          merge.recursive(true, task.task.extra.treeherder,
-                                dependent.task.extra.treeherder);
-
-        // Print all subtasks.
-        return generateTasks(dependent);
-      });
-    });
+    // ...and TreeHerder configuration data.
+    test.task.extra.treeherder =
+      merge.recursive(true, task.task.extra.treeherder,
+                            test.task.extra.treeherder);
 
-    // Append subtasks.
-    tasks = tasks.concat(subtasks);
-
-    // The dependents field is not part of the schema.
-    delete task.dependents;
-  }
-
-  // Convert env variables to strings.
-  tasks.forEach(function (task) {
-    var env = task.task.payload.env || {};
-    Object.keys(env).forEach(function (name) {
-      if (typeof(env[name]) != "undefined") {
-        env[name] = env[name] + "";
-      }
-    });
+    return test;
   });
-
-  return tasks;
 }
 
-// Parse YAML task definitions.
-var BUILDS = parseDirectory(path.join(__dirname, "./builds/"));
-var TASKS = parseDirectory(path.join(__dirname, "./tasks/"));
+// Generate all tasks for a given platform.
+function generatePlatformTasks(platform) {
+  var dir = path.join(__dirname, "./" + platform);
+  var buildBase = parseYamlFile(path.join(dir, "_build_base.yml"), {});
+  var testBase = parseYamlFile(path.join(dir, "_test_base.yml"), {});
+
+  // Parse all build tasks.
+  return flatmap(fs.readdirSync(dir), function (file) {
+    if (!file.startsWith("_") && file.endsWith(".yml")) {
+      var tasks = generateBuildTasks(platform, file);
 
+      // Convert env variables to strings.
+      tasks.forEach(function (task) {
+        var env = task.task.payload.env || {};
+        Object.keys(env).forEach(function (name) {
+          if (typeof(env[name]) != "undefined") {
+            env[name] = env[name] + "";
+          }
+        });
+      });
+
+      return tasks;
+    }
+  });
+}
+
+// Construct the task graph.
 var graph = {
-  // Use files in the "builds" directory as roots.
-  tasks: flatmap(Object.keys(BUILDS), function (name) {
-    return flatmap(BUILDS[name], function (build) {
-      return generateTasks(build);
-    });
-  })
+  tasks: flatmap(["linux", "windows", "tools"], generatePlatformTasks)
 };
 
 // Output the final graph.
 process.stdout.write(JSON.stringify(graph, null, 2));
deleted file mode 100644
--- a/automation/taskcluster/graph/builds/clang-format.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- task:
-    metadata:
-      name: "clang-format-3.8"
-      description: "clang-format-3.8"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh nss/lib/ssl"
-
-    extra:
-      treeherder:
-        build:
-          platform: nss-tools
-        symbol: clang-format-3.8
-  reruns: 0
deleted file mode 100644
--- a/automation/taskcluster/graph/builds/linux64-memleak.yml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-- task:
-    metadata:
-      name: "Linux 64 (MemLeak, debug)"
-      description: "Linux 64 (MemLeak, debug)"
-
-    payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
-        NSS_TESTS: "memleak"
-        USE_64: 1
-
-    extra:
-      treeherder:
-        build:
-          platform: linux64
-        collection:
-          memleak: true
-        symbol: B
-
-  dependents:
-    - memleak
deleted file mode 100644
--- a/automation/taskcluster/graph/builds/win2012x64-debug.yml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "Windows 2012 64 (debug)"
-      description: "Windows 2012 64 (debug)"
-
-    payload:
-      artifacts:
-        - type: directory
-          path: "public\\build"
-          expires: !from_now 24
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/build.sh"
-      env:
-        PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget"
-        NSS_ENABLE_TLS_1_3: 1
-        DOMSUF: localdomain
-        HOST: localhost
-        USE_64: 1
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        build:
-          platform: windows2012-64
-        collection:
-          debug: true
-        symbol: B
-
-  dependents:
-    - cipher-win
-    - ec-win
-    - gtests-win
-    - ocsp-win
-    - pkix-win
-    - sdr-win
deleted file mode 100644
--- a/automation/taskcluster/graph/builds/win2012x64-opt.yml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "Windows 2012 64 (opt)"
-      description: "Windows 2012 64 (opt)"
-
-    payload:
-      artifacts:
-        - type: directory
-          path: "public\\build"
-          expires: !from_now 24
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/build.sh"
-      env:
-        PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget"
-        NSS_ENABLE_TLS_1_3: 1
-        DOMSUF: localdomain
-        HOST: localhost
-        BUILD_OPT: 1
-        USE_64: 1
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        build:
-          platform: windows2012-64
-        collection:
-          opt: true
-        symbol: B
-
-  dependents:
-    - cipher-win
-    - ec-win
-    - gtests-win
-    - ocsp-win
-    - pkix-win
-    - sdr-win
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/linux/_build_base.yml
@@ -0,0 +1,40 @@
+---
+reruns: 2
+
+task:
+  created: !from_now 0
+  deadline: !from_now 24
+  provisionerId: aws-provisioner-v1
+  workerType: hg-worker
+  schedulerId: task-graph-scheduler
+
+  metadata:
+    owner: !env TC_OWNER
+    source: !env TC_SOURCE
+
+  payload:
+    maxRunTime: 3600
+    image: ttaubert/nss-ci:0.0.16
+
+    artifacts:
+      public:
+        type: directory
+        path: /home/worker/artifacts
+        expires: !from_now 24
+
+    command:
+      - "/bin/bash"
+      - "-c"
+      - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
+
+    env:
+      NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
+      NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
+      GCC_VERSION: gcc-5
+      GXX_VERSION: g++-5
+
+  extra:
+    treeherder:
+      revision: !env TC_REVISION
+      revision_hash: !env TC_REVISION_HASH
+      symbol: B
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/linux/_test_base.yml
@@ -0,0 +1,22 @@
+---
+reruns: 2
+
+task:
+  created: !from_now 0
+  deadline: !from_now 24
+  provisionerId: aws-provisioner-v1
+  workerType: hg-worker
+  schedulerId: task-graph-scheduler
+
+  metadata:
+    owner: !env TC_OWNER
+    source: !env TC_SOURCE
+
+  payload:
+    maxRunTime: 3600
+    image: !env TC_DOCKER_IMAGE
+
+    command:
+      - "/bin/bash"
+      - "-c"
+      - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
rename from automation/taskcluster/graph/builds/linux32-debug.yml
rename to automation/taskcluster/graph/linux/build32-debug.yml
--- a/automation/taskcluster/graph/builds/linux32-debug.yml
+++ b/automation/taskcluster/graph/linux/build32-debug.yml
@@ -1,66 +1,71 @@
 ---
 - task:
     metadata:
       name: "Linux 32 (debug)"
       description: "Linux 32 (debug)"
 
     payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
 
     extra:
       treeherder:
         build:
           platform: linux32
         collection:
           debug: true
-        symbol: B
 
-  dependents:
+  tests:
     - cert
     - chains
     - cipher
     - crmf
     - db
     - ec
     - fips
     - gtests
     - lowhash
     - merge
     - ocsp
     - pkits
     - pkix
     - sdr
     - smime
+    - tools
+
+- task:
+    metadata:
+      name: "Linux 32 (debug, no TLS 1.3)"
+      description: "Linux 32 (debug, no TLS 1.3)"
+
+    payload:
+      env:
+        NSS_TESTS: ssl
+
+    extra:
+      treeherder:
+        build:
+          platform: linux32
+        collection:
+          debug: true
+        groupSymbol: Builds
+        groupName: Various builds
+        symbol: noTLSv1.3
+
+  tests:
     - ssl
-    - tools
 
 - task:
     metadata:
       name: "Linux 32 (debug, clang-3.8)"
       description: "Linux 32 (debug, clang-3.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: clang-3.8
         GXX_VERSION: clang++-3.8
 
     extra:
       treeherder:
         build:
@@ -72,20 +77,16 @@
         symbol: clang-3.8
 
 - task:
     metadata:
       name: "Linux 32 (debug, gcc-4.8)"
       description: "Linux 32 (debug, gcc-4.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-4.8
         GXX_VERSION: g++-4.8
 
     extra:
       treeherder:
         build:
@@ -97,20 +98,16 @@
         symbol: gcc-4.8
 
 - task:
     metadata:
       name: "Linux 32 (debug, gcc-6.1)"
       description: "Linux 32 (debug, gcc-6.1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-6
         GXX_VERSION: g++-6
 
     extra:
       treeherder:
         build:
@@ -122,51 +119,21 @@
         symbol: gcc-6.1
 
 - task:
     metadata:
       name: "Linux 32 (debug, NO_PKCS11_BYPASS=1)"
       description: "Linux 32 (debug, NO_PKCS11_BYPASS=1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         NO_PKCS11_BYPASS: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
 
     extra:
       treeherder:
         build:
           platform: linux32
         collection:
           debug: true
         groupSymbol: Builds
         groupName: Various builds
         symbol: noPkcs11Bypass
-
-- task:
-    metadata:
-      name: "Linux 32 (debug, no TLS 1.3)"
-      description: "Linux 32 (debug, no TLS 1.3)"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
-
-    extra:
-      treeherder:
-        build:
-          platform: linux32
-        collection:
-          debug: true
-        groupSymbol: Builds
-        groupName: Various builds
-        symbol: noTLSv1.3
rename from automation/taskcluster/graph/builds/linux32-opt.yml
rename to automation/taskcluster/graph/linux/build32-opt.yml
--- a/automation/taskcluster/graph/builds/linux32-opt.yml
+++ b/automation/taskcluster/graph/linux/build32-opt.yml
@@ -1,67 +1,73 @@
 ---
 - task:
     metadata:
       name: "Linux 32 (opt)"
       description: "Linux 32 (opt)"
 
     payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         BUILD_OPT: 1
 
     extra:
       treeherder:
         build:
           platform: linux32
         collection:
           opt: true
-        symbol: B
 
-  dependents:
+  tests:
     - cert
     - chains
     - cipher
     - crmf
     - db
     - ec
     - fips
     - gtests
     - lowhash
     - merge
     - ocsp
     - pkits
     - pkix
     - sdr
     - smime
+    - tools
+
+- task:
+    metadata:
+      name: "Linux 32 (opt, no TLS 1.3)"
+      description: "Linux 32 (opt, no TLS 1.3)"
+
+    payload:
+      env:
+        NSS_TESTS: ssl
+        BUILD_OPT: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: linux32
+        collection:
+          opt: true
+        groupSymbol: Builds
+        groupName: Various builds
+        symbol: noTLSv1.3
+
+  tests:
     - ssl
-    - tools
 
 - task:
     metadata:
       name: "Linux 32 (opt, clang-3.8)"
       description: "Linux 32 (opt, clang-3.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: clang-3.8
         GXX_VERSION: clang++-3.8
         BUILD_OPT: 1
 
     extra:
       treeherder:
@@ -74,20 +80,16 @@
         symbol: clang-3.8
 
 - task:
     metadata:
       name: "Linux 32 (opt, gcc-4.8)"
       description: "Linux 32 (opt, gcc-4.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-4.8
         GXX_VERSION: g++-4.8
         BUILD_OPT: 1
 
     extra:
       treeherder:
@@ -100,20 +102,16 @@
         symbol: gcc-4.8
 
 - task:
     metadata:
       name: "Linux 32 (opt, gcc-6.1)"
       description: "Linux 32 (opt, gcc-6.1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-6
         GXX_VERSION: g++-6
         BUILD_OPT: 1
 
     extra:
       treeherder:
@@ -126,53 +124,22 @@
         symbol: gcc-6.1
 
 - task:
     metadata:
       name: "Linux 32 (opt, NO_PKCS11_BYPASS=1)"
       description: "Linux 32 (opt, NO_PKCS11_BYPASS=1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         NO_PKCS11_BYPASS: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         BUILD_OPT: 1
 
     extra:
       treeherder:
         build:
           platform: linux32
         collection:
           opt: true
         groupSymbol: Builds
         groupName: Various builds
         symbol: noPkcs11Bypass
-
-- task:
-    metadata:
-      name: "Linux 32 (opt, no TLS 1.3)"
-      description: "Linux 32 (opt, no TLS 1.3)"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
-        BUILD_OPT: 1
-
-    extra:
-      treeherder:
-        build:
-          platform: linux32
-        collection:
-          opt: true
-        groupSymbol: Builds
-        groupName: Various builds
-        symbol: noTLSv1.3
rename from automation/taskcluster/graph/builds/linux64-asan.yml
rename to automation/taskcluster/graph/linux/build64-asan.yml
--- a/automation/taskcluster/graph/builds/linux64-asan.yml
+++ b/automation/taskcluster/graph/linux/build64-asan.yml
@@ -1,49 +1,63 @@
 ---
 - task:
     metadata:
       name: "Linux 64 (ASan, debug)"
       description: "Linux 64 (ASan, debug)"
 
     payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: clang-3.8
         GXX_VERSION: clang++-3.8
         USE_ASAN: 1
         USE_64: 1
 
     extra:
       treeherder:
         build:
           platform: linux64
         collection:
           asan: true
-        symbol: B
 
-  dependents:
+  tests:
     - cert
     - chains
     - cipher
     - crmf
     - db
     - ec
     - fips
     - gtests
     - lowhash
     - merge
     - ocsp
     - pkits
     - pkix
     - sdr
     - smime
+    - tools
+
+- task:
+    metadata:
+      name: "Linux 64 (ASan, debug, no TLS 1.3)"
+      description: "Linux 64 (ASan, debug, no TLS 1.3)"
+
+    payload:
+      env:
+        GCC_VERSION: clang-3.8
+        GXX_VERSION: clang++-3.8
+        NSS_TESTS: ssl
+        USE_ASAN: 1
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: linux64
+        collection:
+          asan: true
+        groupSymbol: SSL
+        groupName: SSL tests
+
+  tests:
     - ssl
-    - tools
rename from automation/taskcluster/graph/builds/linux64-debug.yml
rename to automation/taskcluster/graph/linux/build64-debug.yml
--- a/automation/taskcluster/graph/builds/linux64-debug.yml
+++ b/automation/taskcluster/graph/linux/build64-debug.yml
@@ -1,67 +1,73 @@
 ---
 - task:
     metadata:
       name: "Linux 64 (debug)"
       description: "Linux 64 (debug)"
 
     payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         USE_64: 1
 
     extra:
       treeherder:
         build:
           platform: linux64
         collection:
           debug: true
-        symbol: B
 
-  dependents:
+  tests:
     - cert
     - chains
     - cipher
     - crmf
     - db
     - ec
     - fips
     - gtests
     - lowhash
     - merge
     - ocsp
     - pkits
     - pkix
     - sdr
     - smime
+    - tools
+
+- task:
+    metadata:
+      name: "Linux 64 (debug, no TLS 1.3)"
+      description: "Linux 64 (debug, no TLS 1.3)"
+
+    payload:
+      env:
+        NSS_TESTS: ssl
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: linux64
+        collection:
+          debug: true
+        groupSymbol: Builds
+        groupName: Various builds
+        symbol: noTLSv1.3
+
+  tests:
     - ssl
-    - tools
 
 - task:
     metadata:
       name: "Linux 64 (debug, clang-3.8)"
       description: "Linux 64 (debug, clang-3.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: clang-3.8
         GXX_VERSION: clang++-3.8
         USE_64: 1
 
     extra:
       treeherder:
@@ -74,20 +80,16 @@
         symbol: clang-3.8
 
 - task:
     metadata:
       name: "Linux 64 (debug, gcc-4.8)"
       description: "Linux 64 (debug, gcc-4.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-4.8
         GXX_VERSION: g++-4.8
         USE_64: 1
 
     extra:
       treeherder:
@@ -100,20 +102,16 @@
         symbol: gcc-4.8
 
 - task:
     metadata:
       name: "Linux 64 (debug, gcc-6.1)"
       description: "Linux 64 (debug, gcc-6.1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-6
         GXX_VERSION: g++-6
         USE_64: 1
 
     extra:
       treeherder:
@@ -126,53 +124,22 @@
         symbol: gcc-6.1
 
 - task:
     metadata:
       name: "Linux 64 (debug, NO_PKCS11_BYPASS=1)"
       description: "Linux 64 (debug, NO_PKCS11_BYPASS=1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         NO_PKCS11_BYPASS: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         USE_64: 1
 
     extra:
       treeherder:
         build:
           platform: linux64
         collection:
           debug: true
         groupSymbol: Builds
         groupName: Various builds
         symbol: noPkcs11Bypass
-
-- task:
-    metadata:
-      name: "Linux 64 (debug, no TLS 1.3)"
-      description: "Linux 64 (debug, no TLS 1.3)"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
-        USE_64: 1
-
-    extra:
-      treeherder:
-        build:
-          platform: linux64
-        collection:
-          debug: true
-        groupSymbol: Builds
-        groupName: Various builds
-        symbol: noTLSv1.3
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/linux/build64-memleak.yml
@@ -0,0 +1,20 @@
+---
+- task:
+    metadata:
+      name: "Linux 64 (MemLeak, debug)"
+      description: "Linux 64 (MemLeak, debug)"
+
+    payload:
+      env:
+        NSS_TESTS: memleak
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: linux64
+        collection:
+          memleak: true
+
+  tests:
+    - memleak
rename from automation/taskcluster/graph/builds/linux64-opt.yml
rename to automation/taskcluster/graph/linux/build64-opt.yml
--- a/automation/taskcluster/graph/builds/linux64-opt.yml
+++ b/automation/taskcluster/graph/linux/build64-opt.yml
@@ -1,68 +1,75 @@
 ---
 - task:
     metadata:
       name: "Linux 64 (opt)"
       description: "Linux 64 (opt)"
 
     payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         BUILD_OPT: 1
         USE_64: 1
 
     extra:
       treeherder:
         build:
           platform: linux64
         collection:
           opt: true
-        symbol: B
 
-  dependents:
+  tests:
     - cert
     - chains
     - cipher
     - crmf
     - db
     - ec
     - fips
     - gtests
     - lowhash
     - merge
     - ocsp
     - pkits
     - pkix
     - sdr
     - smime
+    - tools
+
+- task:
+    metadata:
+      name: "Linux 64 (opt, no TLS 1.3)"
+      description: "Linux 64 (opt, no TLS 1.3)"
+
+    payload:
+      env:
+        NSS_TESTS: ssl
+        BUILD_OPT: 1
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: linux64
+        collection:
+          opt: true
+        groupSymbol: Builds
+        groupName: Various builds
+        symbol: noTLSv1.3
+
+  tests:
     - ssl
-    - tools
 
 - task:
     metadata:
       name: "Linux 64 (opt, clang-3.8)"
       description: "Linux 64 (opt, clang-3.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: clang-3.8
         GXX_VERSION: clang++-3.8
         BUILD_OPT: 1
         USE_64: 1
 
     extra:
@@ -76,20 +83,16 @@
         symbol: clang-3.8
 
 - task:
     metadata:
       name: "Linux 64 (opt, gcc-4.8)"
       description: "Linux 64 (opt, gcc-4.8)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-4.8
         GXX_VERSION: g++-4.8
         BUILD_OPT: 1
         USE_64: 1
 
     extra:
@@ -103,20 +106,16 @@
         symbol: gcc-4.8
 
 - task:
     metadata:
       name: "Linux 64 (opt, gcc-6.1)"
       description: "Linux 64 (opt, gcc-6.1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         GCC_VERSION: gcc-6
         GXX_VERSION: g++-6
         BUILD_OPT: 1
         USE_64: 1
 
     extra:
@@ -130,55 +129,23 @@
         symbol: gcc-6.1
 
 - task:
     metadata:
       name: "Linux 64 (opt, NO_PKCS11_BYPASS=1)"
       description: "Linux 64 (opt, NO_PKCS11_BYPASS=1)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       env:
         NSS_ENABLE_TLS_1_3: 1
         NO_PKCS11_BYPASS: 1
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
         BUILD_OPT: 1
         USE_64: 1
 
     extra:
       treeherder:
         build:
           platform: linux64
         collection:
           opt: true
         groupSymbol: Builds
         groupName: Various builds
         symbol: noPkcs11Bypass
-
-- task:
-    metadata:
-      name: "Linux 64 (opt, no TLS 1.3)"
-      description: "Linux 64 (opt, no TLS 1.3)"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        GCC_VERSION: gcc-5
-        GXX_VERSION: g++-5
-        BUILD_OPT: 1
-        USE_64: 1
-
-    extra:
-      treeherder:
-        build:
-          platform: linux64
-        collection:
-          opt: true
-        groupSymbol: Builds
-        groupName: Various builds
-        symbol: noTLSv1.3
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/cert.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Cert tests"
-      description: "Cert tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "cert"
-
-    extra:
-      treeherder:
-        symbol: Cert
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/chains.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Chains tests"
-      description: "Chains tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "chains"
-
-    extra:
-      treeherder:
-        symbol: Chains
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/cipher-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "Cipher tests"
-      description: "Cipher tests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "cipher"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: Cipher
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/cipher.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Cipher tests"
-      description: "Cipher tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "cipher"
-
-    extra:
-      treeherder:
-        symbol: Cipher
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/crmf.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "CRMF tests"
-      description: "CRMF tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "crmf"
-
-    extra:
-      treeherder:
-        symbol: CRMF
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/db.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "DB tests"
-      description: "DB tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "dbtests"
-
-    extra:
-      treeherder:
-        symbol: DB
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/ec-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "EC tests"
-      description: "EC tests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "ec"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: EC
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/ec.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "EC tests"
-      description: "EC tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "ec"
-
-    extra:
-      treeherder:
-        symbol: EC
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/fips.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "FIPS tests"
-      description: "FIPS tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "fips"
-
-    extra:
-      treeherder:
-        symbol: FIPS
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/gtests-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "GTests"
-      description: "GTests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "ssl_gtests gtests"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: GTest
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/gtests.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "GTests"
-      description: "GTests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "ssl_gtests gtests"
-
-    extra:
-      treeherder:
-        symbol: GTest
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/lowhash.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Lowhash tests"
-      description: "Lowhash tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "lowhash"
-
-    extra:
-      treeherder:
-        symbol: Lowhash
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/merge.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Merge tests"
-      description: "Merge tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "merge"
-
-    extra:
-      treeherder:
-        symbol: Merge
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/ocsp-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "OCSP tests"
-      description: "OCSP tests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "ocsp"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: OCSP
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/ocsp.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "OCSP tests"
-      description: "OCSP tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "ocsp"
-
-    extra:
-      treeherder:
-        symbol: OCSP
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/pkits.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "NIST PKITS tests"
-      description: "NIST PKITS tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "pkits"
-
-    extra:
-      treeherder:
-        symbol: PKITS
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/pkix-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "libpkix tests"
-      description: "libpkix tests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "libpkix"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: PKIX
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/pkix.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "libpkix tests"
-      description: "libpkix tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "libpkix"
-
-    extra:
-      treeherder:
-        symbol: PKIX
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/sdr-win.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- task:
-    workerType: ttaubert-win2012r2
-
-    metadata:
-      name: "SDR tests"
-      description: "SDR tests"
-
-    payload:
-      command:
-        - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
-        - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
-      env:
-        NSS_TESTS: "sdr"
-      image: !!js/undefined
-
-    extra:
-      treeherder:
-        symbol: SDR
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/sdr.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "SDR tests"
-      description: "SDR tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "sdr"
-
-    extra:
-      treeherder:
-        symbol: SDR
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/smime.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "S/MIME tests"
-      description: "S/MIME tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "smime"
-
-    extra:
-      treeherder:
-        symbol: SMIME
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/ssl.yml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-- task:
-    metadata:
-      name: "SSL tests"
-      description: "SSL tests"
-
-    payload:
-      artifacts:
-        public:
-          type: directory
-          path: /home/worker/artifacts
-          expires: !from_now 24
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
-      env:
-        NSS_ENABLE_TLS_1_3: !!js/undefined # override
-        NSS_TESTS: "ssl"
-
-    extra:
-      treeherder:
-        groupSymbol: SSL
-        groupName: SSL tests
-        symbol: B
-
-  dependents:
-    - ssl_cycles
deleted file mode 100644
--- a/automation/taskcluster/graph/tasks/tools.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- task:
-    metadata:
-      name: "Tools tests"
-      description: "Tools tests"
-
-    payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-      env:
-        NSS_TESTS: "tools"
-
-    extra:
-      treeherder:
-        symbol: Tools
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/cert.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Cert tests
+      description: Cert tests
+
+    payload:
+      env:
+        NSS_TESTS: cert
+
+    extra:
+      treeherder:
+        symbol: Cert
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/chains.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Chains tests
+      description: Chains tests
+
+    payload:
+      env:
+        NSS_TESTS: chains
+
+    extra:
+      treeherder:
+        symbol: Chains
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/cipher.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Cipher tests
+      description: Cipher tests
+
+    payload:
+      env:
+        NSS_TESTS: cipher
+
+    extra:
+      treeherder:
+        symbol: Cipher
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/crmf.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: CRMF tests
+      description: CRMF tests
+
+    payload:
+      env:
+        NSS_TESTS: crmf
+
+    extra:
+      treeherder:
+        symbol: CRMF
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/db.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: DB tests
+      description: DB tests
+
+    payload:
+      env:
+        NSS_TESTS: dbtests
+
+    extra:
+      treeherder:
+        symbol: DB
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/ec.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: EC tests
+      description: EC tests
+
+    payload:
+      env:
+        NSS_TESTS: ec
+
+    extra:
+      treeherder:
+        symbol: EC
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/fips.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: FIPS tests
+      description: FIPS tests
+
+    payload:
+      env:
+        NSS_TESTS: fips
+
+    extra:
+      treeherder:
+        symbol: FIPS
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/gtests.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: GTests
+      description: GTests
+
+    payload:
+      env:
+        NSS_TESTS: ssl_gtests gtests
+
+    extra:
+      treeherder:
+        symbol: GTest
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/lowhash.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Lowhash tests
+      description: Lowhash tests
+
+    payload:
+      env:
+        NSS_TESTS: lowhash
+
+    extra:
+      treeherder:
+        symbol: Lowhash
rename from automation/taskcluster/graph/tasks/memleak.yml
rename to automation/taskcluster/graph/tests/memleak.yml
--- a/automation/taskcluster/graph/tasks/memleak.yml
+++ b/automation/taskcluster/graph/tests/memleak.yml
@@ -1,256 +1,204 @@
 ---
 - task:
     metadata:
       name: "MemLeak tests (ocsp)"
       description: "MemLeak tests (ocsp)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
-        NSS_MEMLEAK_TESTS: "ocsp"
+        NSS_MEMLEAK_TESTS: ocsp
 
     extra:
       treeherder:
         symbol: ocsp
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_server, standard)"
       description: "MemLeak tests (ssl_server, standard)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_server"
         NSS_CYCLES: "standard"
 
     extra:
       treeherder:
         groupSymbol: Server
         groupName: MemLeak tests (ssl_server)
         symbol: standard
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_server, pkix)"
       description: "MemLeak tests (ssl_server, pkix)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_server"
         NSS_CYCLES: "pkix"
 
     extra:
       treeherder:
         groupSymbol: Server
         groupName: MemLeak tests (ssl_server)
         symbol: pkix
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_server, sharedb)"
       description: "MemLeak tests (ssl_server, sharedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_server"
         NSS_CYCLES: "sharedb"
 
     extra:
       treeherder:
         groupSymbol: Server
         groupName: MemLeak tests (ssl_server)
         symbol: sharedb
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_server, upgradedb)"
       description: "MemLeak tests (ssl_server, upgradedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_server"
         NSS_CYCLES: "upgradedb"
 
     extra:
       treeherder:
         groupSymbol: Server
         groupName: MemLeak tests (ssl_server)
         symbol: upgradedb
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_client, standard)"
       description: "MemLeak tests (ssl_client, standard)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_client"
         NSS_CYCLES: "standard"
 
     extra:
       treeherder:
         groupSymbol: Client
         groupName: MemLeak tests (ssl_client)
         symbol: standard
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_client, pkix)"
       description: "MemLeak tests (ssl_client, pkix)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_client"
         NSS_CYCLES: "pkix"
 
     extra:
       treeherder:
         groupSymbol: Client
         groupName: MemLeak tests (ssl_client)
         symbol: pkix
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_client, sharedb)"
       description: "MemLeak tests (ssl_client, sharedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_client"
         NSS_CYCLES: "sharedb"
 
     extra:
       treeherder:
         groupSymbol: Client
         groupName: MemLeak tests (ssl_client)
         symbol: sharedb
 
 - task:
     metadata:
       name: "MemLeak tests (ssl_client, upgradedb)"
       description: "MemLeak tests (ssl_client, upgradedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "ssl_client"
         NSS_CYCLES: "upgradedb"
 
     extra:
       treeherder:
         groupSymbol: Client
         groupName: MemLeak tests (ssl_client)
         symbol: upgradedb
 
 - task:
     metadata:
       name: "MemLeak tests (chains, standard)"
       description: "MemLeak tests (chains, standard)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "chains"
         NSS_CYCLES: "standard"
 
     extra:
       treeherder:
         groupSymbol: Chains
         groupName: MemLeak tests (chains)
         symbol: standard
 
 - task:
     metadata:
       name: "MemLeak tests (chains, pkix)"
       description: "MemLeak tests (chains, pkix)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "chains"
         NSS_CYCLES: "pkix"
 
     extra:
       treeherder:
         groupSymbol: Chains
         groupName: MemLeak tests (chains)
         symbol: pkix
 
 - task:
     metadata:
       name: "MemLeak tests (chains, sharedb)"
       description: "MemLeak tests (chains, sharedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "chains"
         NSS_CYCLES: "sharedb"
 
     extra:
       treeherder:
         groupSymbol: Chains
         groupName: MemLeak tests (chains)
         symbol: sharedb
 
 - task:
     metadata:
       name: "MemLeak tests (chains, upgradedb)"
       description: "MemLeak tests (chains, upgradedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_MEMLEAK_TESTS: "chains"
         NSS_CYCLES: "upgradedb"
 
     extra:
       treeherder:
         groupSymbol: Chains
         groupName: MemLeak tests (chains)
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/merge.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Merge tests
+      description: Merge tests
+
+    payload:
+      env:
+        NSS_TESTS: merge
+
+    extra:
+      treeherder:
+        symbol: Merge
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/ocsp.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: OCSP tests
+      description: OCSP tests
+
+    payload:
+      env:
+        NSS_TESTS: ocsp
+
+    extra:
+      treeherder:
+        symbol: OCSP
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/pkits.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: NIST PKITS tests
+      description: NIST PKITS tests
+
+    payload:
+      env:
+        NSS_TESTS: pkits
+
+    extra:
+      treeherder:
+        symbol: PKITS
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/pkix.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: libpkix tests
+      description: libpkix tests
+
+    payload:
+      env:
+        NSS_TESTS: libpkix
+
+    extra:
+      treeherder:
+        symbol: PKIX
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/sdr.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: SDR tests
+      description: SDR tests
+
+    payload:
+      env:
+        NSS_TESTS: sdr
+
+    extra:
+      treeherder:
+        symbol: SDR
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/smime.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: S/MIME tests
+      description: S/MIME tests
+
+    payload:
+      env:
+        NSS_TESTS: smime
+
+    extra:
+      treeherder:
+        symbol: SMIME
rename from automation/taskcluster/graph/tasks/ssl_cycles.yml
rename to automation/taskcluster/graph/tests/ssl.yml
--- a/automation/taskcluster/graph/tasks/ssl_cycles.yml
+++ b/automation/taskcluster/graph/tests/ssl.yml
@@ -1,69 +1,61 @@
 ---
 - task:
     metadata:
       name: "SSL tests (standard)"
       description: "SSL tests (standard)"
 
     payload:
       maxRunTime: 7200
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_CYCLES: "standard"
 
     extra:
       treeherder:
         symbol: standard
+        groupSymbol: SSL
+        groupName: SSL tests
 
 - task:
     metadata:
       name: "SSL tests (pkix)"
       description: "SSL tests (pkix)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_CYCLES: "pkix"
 
     extra:
       treeherder:
         symbol: pkix
+        groupSymbol: SSL
+        groupName: SSL tests
 
 - task:
     metadata:
       name: "SSL tests (sharedb)"
       description: "SSL tests (sharedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_CYCLES: "sharedb"
 
     extra:
       treeherder:
         symbol: sharedb
+        groupSymbol: SSL
+        groupName: SSL tests
 
 - task:
     metadata:
       name: "SSL tests (upgradedb)"
       description: "SSL tests (upgradedb)"
 
     payload:
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
       env:
         NSS_CYCLES: "upgradedb"
 
     extra:
       treeherder:
         symbol: upgradedb
+        groupSymbol: SSL
+        groupName: SSL tests
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tests/tools.yml
@@ -0,0 +1,13 @@
+---
+- task:
+    metadata:
+      name: Tools tests
+      description: Tools tests
+
+    payload:
+      env:
+        NSS_TESTS: tools
+
+    extra:
+      treeherder:
+        symbol: Tools
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/tools/clang-format.yml
@@ -0,0 +1,35 @@
+---
+- reruns: 0
+  task:
+    created: !from_now 0
+    deadline: !from_now 24
+    provisionerId: aws-provisioner-v1
+    workerType: hg-worker
+    schedulerId: task-graph-scheduler
+
+    metadata:
+      owner: !env TC_OWNER
+      source: !env TC_SOURCE
+      name: clang-format-3.8
+      description: clang-format-3.8
+
+    payload:
+      maxRunTime: 3600
+      image: ttaubert/nss-ci:0.0.16
+
+      command:
+        - "/bin/bash"
+        - "-c"
+        - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh nss/lib/ssl"
+
+      env:
+        NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
+        NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
+
+    extra:
+      treeherder:
+        build:
+          platform: nss-tools
+        symbol: clang-format-3.8
+        revision: !env TC_REVISION
+        revision_hash: !env TC_REVISION_HASH
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/windows/_build_base.yml
@@ -0,0 +1,38 @@
+---
+reruns: 2
+
+task:
+  created: !from_now 0
+  deadline: !from_now 24
+  provisionerId: aws-provisioner-v1
+  workerType: ttaubert-win2012r2
+  schedulerId: task-graph-scheduler
+
+  metadata:
+    owner: !env TC_OWNER
+    source: !env TC_SOURCE
+
+  payload:
+    maxRunTime: 3600
+
+    artifacts:
+      - type: directory
+        path: "public\\build"
+        expires: !from_now 24
+
+    command:
+      - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
+      - "time /t && bash -c nss/automation/taskcluster/windows/build.sh"
+
+    env:
+      PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget"
+      NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
+      NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
+      DOMSUF: localdomain
+      HOST: localhost
+
+  extra:
+    treeherder:
+      revision: !env TC_REVISION
+      revision_hash: !env TC_REVISION_HASH
+      symbol: B
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/windows/_test_base.yml
@@ -0,0 +1,20 @@
+---
+reruns: 2
+
+task:
+  created: !from_now 0
+  deadline: !from_now 24
+  provisionerId: aws-provisioner-v1
+  workerType: ttaubert-win2012r2
+  schedulerId: task-graph-scheduler
+
+  metadata:
+    owner: !env TC_OWNER
+    source: !env TC_SOURCE
+
+  payload:
+    maxRunTime: 3600
+
+    command:
+      - "time /t && hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
+      - "time /t && bash -c nss/automation/taskcluster/windows/run_tests.sh"
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/windows/build64-debug.yml
@@ -0,0 +1,25 @@
+---
+- task:
+    metadata:
+      name: "Windows 2012 64 (debug)"
+      description: "Windows 2012 64 (debug)"
+
+    payload:
+      env:
+        NSS_ENABLE_TLS_1_3: 1
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: windows2012-64
+        collection:
+          debug: true
+
+  tests:
+    - cipher
+    - ec
+    - gtests
+    - ocsp
+    - pkix
+    - sdr
new file mode 100644
--- /dev/null
+++ b/automation/taskcluster/graph/windows/build64-opt.yml
@@ -0,0 +1,26 @@
+---
+- task:
+    metadata:
+      name: "Windows 2012 64 (opt)"
+      description: "Windows 2012 64 (opt)"
+
+    payload:
+      env:
+        NSS_ENABLE_TLS_1_3: 1
+        BUILD_OPT: 1
+        USE_64: 1
+
+    extra:
+      treeherder:
+        build:
+          platform: windows2012-64
+        collection:
+          opt: true
+
+  tests:
+    - cipher
+    - ec
+    - gtests
+    - ocsp
+    - pkix
+    - sdr