Bug 1513000 - Sign openh264 binaries. r=tomprince
authorJustin Wood <Callek@gmail.com>
Fri, 01 Mar 2019 02:18:29 +0000
changeset 519729 81a50b35b482f6a24a3231ffcd7766381012035a
parent 519728 9ce8f26f311b014e4a5c2c140b52859fd1ffdb2b
child 519730 26021d8ebb2772d070b99969757ef22b73a1d21f
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstomprince
bugs1513000
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1513000 - Sign openh264 binaries. r=tomprince Differential Revision: https://phabricator.services.mozilla.com/D20763
taskcluster/ci/openh264-plugin/kind.yml
taskcluster/ci/openh264-signing/kind.yml
taskcluster/docs/kinds.rst
taskcluster/taskgraph/transforms/openh264_signing.py
taskcluster/taskgraph/util/treeherder.py
--- a/taskcluster/ci/openh264-plugin/kind.yml
+++ b/taskcluster/ci/openh264-plugin/kind.yml
@@ -17,16 +17,18 @@ job-defaults:
     description: "Build OpenH264 plugin"
     treeherder:
         kind: build
         symbol: h264
         tier: 2
     run-on-projects: []
     repo: 'https://github.com/cisco/openh264.git'
     revision: '2e1774ab6dc6c43debb0b5b628bdf122a391d521'
+    worker:
+        chain-of-trust: true
 
 jobs:
     linux32/opt:
         attributes:
             build_platform: linux32
             build_type: opt
         treeherder:
             platform: linux32/opt
@@ -125,17 +127,17 @@ jobs:
             using: mozharness
             script: mozharness/scripts/openh264_build.py
             config:
                 - openh264/win64.py
         toolchains:
             - win64-clang-cl
     android-api-16/opt:
         attributes:
-            build_platform: android
+            build_platform: android-arm
             build_type: opt
         treeherder:
             platform: android-api-16/opt
         worker-type: aws-provisioner-v1/gecko-{level}-b-android
         worker:
             max-run-time: 1800
             artifacts:
                 - name: private/openh264
@@ -152,17 +154,17 @@ jobs:
                 - openh264/android-arm.py
             tooltool-downloads: internal
         toolchains:
             - android-ndk-linux
             - android-sdk-linux
             - linux64-clang
     android-aarch64/opt:
         attributes:
-            build_platform: android
+            build_platform: android-aarch64
             build_type: opt
         treeherder:
             platform: android-5-0-aarch64/opt
         worker-type: aws-provisioner-v1/gecko-{level}-b-android
         worker:
             max-run-time: 1800
             artifacts:
                 - name: private/openh264
@@ -179,17 +181,17 @@ jobs:
                 - openh264/android-aarch64.py
             tooltool-downloads: internal
         toolchains:
             - android-ndk-linux
             - android-sdk-linux
             - linux64-clang
     android-x86/opt:
         attributes:
-            build_platform: android
+            build_platform: android-x86
             build_type: opt
         treeherder:
             platform: android-4-2-x86/opt
         worker-type: aws-provisioner-v1/gecko-{level}-b-android
         worker:
             max-run-time: 1800
             artifacts:
                 - name: private/openh264
@@ -206,17 +208,17 @@ jobs:
                 - openh264/android-x86.py
             tooltool-downloads: internal
         toolchains:
             - android-ndk-linux
             - android-sdk-linux
             - linux64-clang
     android-x86_64/opt:
         attributes:
-            build_platform: android
+            build_platform: android-x86_64
             build_type: opt
         treeherder:
             platform: android-5-0-x86_64/opt
         worker-type: aws-provisioner-v1/gecko-{level}-b-android
         worker:
             max-run-time: 1800
             artifacts:
                 - name: private/openh264
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/openh264-signing/kind.yml
@@ -0,0 +1,13 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+   - taskgraph.transforms.name_sanity:transforms
+   - taskgraph.transforms.openh264_signing:transforms
+   - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+   - openh264-plugin
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -526,16 +526,20 @@ taskcluster/ci/diffoscope/kind.yml for y
 addon
 -----
 Tasks used to build/package add-ons.
 
 openh264-plugin
 -----
 Tasks used to build the openh264 plugin.
 
+openh264-signing
+----------------
+Signing for the openh264 plugin.
+
 webrender
 ---------
 Tasks used to do testing of WebRender standalone (without gecko). The
 WebRender code lives in gfx/wr and has its own testing infrastructure.
 
 instrumented-build
 ------------------
 Tasks that generate builds with PGO instrumentation enabled. This is an
new file mode 100644
--- /dev/null
+++ b/taskcluster/taskgraph/transforms/openh264_signing.py
@@ -0,0 +1,104 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"""
+Transform the repackage signing task into an actual task description.
+"""
+
+from __future__ import absolute_import, print_function, unicode_literals
+
+from taskgraph.loader.single_dep import schema
+from taskgraph.transforms.base import TransformSequence
+from taskgraph.util.attributes import copy_attributes_from_dependent_job
+from taskgraph.util.scriptworker import (
+    add_scope_prefix,
+    get_signing_cert_scope_per_platform,
+    get_worker_type_for_scope,
+)
+from taskgraph.util.treeherder import inherit_treeherder_from_dep
+from taskgraph.transforms.task import task_description_schema
+from voluptuous import Required, Optional
+
+transforms = TransformSequence()
+
+signing_description_schema = schema.extend({
+    Required('depname', default='repackage'): basestring,
+    Optional('label'): basestring,
+    Optional('extra'): object,
+    Optional('shipping-product'): task_description_schema['shipping-product'],
+    Optional('shipping-phase'): task_description_schema['shipping-phase'],
+})
+
+transforms.add_validate(signing_description_schema)
+
+
+@transforms.add
+def make_signing_description(config, jobs):
+    for job in jobs:
+        dep_job = job['primary-dependency']
+        attributes = dep_job.attributes
+        build_platform = dep_job.attributes.get('build_platform')
+        is_nightly = True  # cert_scope_per_platform uses this to choose the right cert
+
+        description = (
+            "Signing of OpenH264 Binaries for '"
+            "{build_platform}/{build_type}'".format(
+                build_platform=attributes.get('build_platform'),
+                build_type=attributes.get('build_type')
+            )
+        )
+
+        # we have a genuine repackage job as our parent
+        dependencies = {"openh264": dep_job.label}
+
+        my_attributes = copy_attributes_from_dependent_job(dep_job)
+
+        signing_cert_scope = get_signing_cert_scope_per_platform(
+            build_platform, is_nightly, config
+        )
+
+        scopes = [signing_cert_scope]
+
+        if 'win' in build_platform:
+            # job['primary-dependency'].task['payload']['command']
+            scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
+            formats = ['sha2signcode']
+        else:
+            scopes.append(add_scope_prefix(config, 'signing:format:gpg'))
+            formats = ['gpg']
+
+        rev = attributes['openh264_rev']
+        upstream_artifacts = [{
+            "taskId": {"task-reference": "<openh264>"},
+            "taskType": "build",
+            "paths": [
+                "private/openh264/openh264-{}-{}.zip".format(build_platform, rev),
+            ],
+            "formats": formats
+        }]
+
+        treeherder = inherit_treeherder_from_dep(job, dep_job)
+        treeherder.setdefault('symbol', _generate_treeherder_symbol(
+            dep_job.task.get('extra', {}).get('treeherder', {}).get('symbol')
+        ))
+
+        task = {
+            'label': job['label'],
+            'description': description,
+            'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
+            'worker': {'implementation': 'scriptworker-signing',
+                       'upstream-artifacts': upstream_artifacts,
+                       'max-run-time': 3600},
+            'scopes': scopes,
+            'dependencies': dependencies,
+            'attributes': my_attributes,
+            'run-on-projects': dep_job.attributes.get('run_on_projects'),
+            'treeherder': treeherder
+        }
+
+        yield task
+
+
+def _generate_treeherder_symbol(build_symbol):
+    symbol = build_symbol + 's'
+    return symbol
--- a/taskcluster/taskgraph/util/treeherder.py
+++ b/taskcluster/taskgraph/util/treeherder.py
@@ -30,8 +30,26 @@ def add_suffix(treeherder_symbol, suffix
     symbol += str(suffix)
     return join_symbol(group, symbol)
 
 
 def replace_group(treeherder_symbol, new_group):
     """Add a suffix to a treeherder symbol that may contain a group."""
     _, symbol = split_symbol(treeherder_symbol)
     return join_symbol(new_group, symbol)
+
+
+def inherit_treeherder_from_dep(job, dep_job):
+    """Inherit treeherder defaults from dep_job"""
+    treeherder = job.get('treeherder', {})
+
+    dep_th_platform = dep_job.task.get('extra', {}).get(
+        'treeherder', {}).get('machine', {}).get('platform', '')
+    # XXX Doesn't yet support non-opt
+    treeherder.setdefault('platform',
+                          "{}/opt".format(dep_th_platform))
+    treeherder.setdefault(
+        'tier',
+        dep_job.task.get('extra', {}).get('treeherder', {}).get('tier', 1)
+    )
+    # Does not set symbol
+    treeherder.setdefault('kind', 'build')
+    return treeherder