Bug 1430958 - Set docker-image as a chain-of-trust input centrally. r=dustin
authorMike Hommey <mh+mozilla@glandium.org>
Wed, 17 Jan 2018 12:05:56 +0900
changeset 453865 11489f123eb8bcb6bf0ea1e78cc11866925e0046
parent 453864 46f721d7988bcc0bd1cbf22854d40abd0cf1c2b2
child 453866 a5075d2577012fcf220bd89d6715df274efed291
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin
bugs1430958, 1430037, 1384430
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1430958 - Set docker-image as a chain-of-trust input centrally. r=dustin Relying on the various transforms setting it manually is error prone, and, in fact, is why bug 1430037 busted beta. This change makes this setting happen at a single place. This yields the same full task graph as before, except for *more* chain-of-trust inputs being set now: they were missing for toolchain tasks (which makes us closer to bug 1384430).
taskcluster/taskgraph/transforms/build.py
taskcluster/taskgraph/transforms/google_play_strings.py
taskcluster/taskgraph/transforms/l10n.py
taskcluster/taskgraph/transforms/partials.py
taskcluster/taskgraph/transforms/repackage.py
taskcluster/taskgraph/transforms/task.py
--- a/taskcluster/taskgraph/transforms/build.py
+++ b/taskcluster/taskgraph/transforms/build.py
@@ -21,23 +21,16 @@ def set_defaults(config, jobs):
         job['treeherder'].setdefault('kind', 'build')
         job['treeherder'].setdefault('tier', 1)
         _, worker_os = worker_type_implementation(job['worker-type'])
         worker = job.setdefault('worker', {})
         worker.setdefault('env', {})
         if worker_os == "linux":
             worker.setdefault('docker-image', {'in-tree': 'desktop-build'})
             worker['chain-of-trust'] = True
-            extra = job.setdefault('extra', {})
-            extra.setdefault('chainOfTrust', {})
-            extra['chainOfTrust'].setdefault('inputs', {})
-            if 'in-tree' in worker['docker-image']:
-                extra['chainOfTrust']['inputs']['docker-image'] = {
-                    "task-reference": "<docker-image>"
-                }
         elif worker_os == "windows":
             worker['chain-of-trust'] = True
 
         yield job
 
 
 @transforms.add
 def set_env(config, jobs):
--- a/taskcluster/taskgraph/transforms/google_play_strings.py
+++ b/taskcluster/taskgraph/transforms/google_play_strings.py
@@ -53,12 +53,9 @@ def set_worker_data(config, jobs):
         worker = job['worker']
 
         env = worker.setdefault('env', {})
         resolve_keyed_by(
             env, 'PACKAGE_NAME', item_name=job['name'],
             project=config.params['project']
         )
 
-        cot = job.setdefault('extra', {}).setdefault('chainOfTrust', {})
-        cot.setdefault('inputs', {})['docker-image'] = {'task-reference': '<docker-image>'}
-
         yield job
--- a/taskcluster/taskgraph/transforms/l10n.py
+++ b/taskcluster/taskgraph/transforms/l10n.py
@@ -378,26 +378,16 @@ def mh_options_replace_project(config, j
         job['mozharness']['options'] = map(
             lambda x: x.format(project=config.params['project']),
             job['mozharness']['options']
             )
         yield job
 
 
 @transforms.add
-def chain_of_trust(config, jobs):
-    for job in jobs:
-        # add the docker image to the chain of trust inputs in task.extra
-        if not job['worker-type'].endswith("-b-win2012"):
-            cot = job.setdefault('extra', {}).setdefault('chainOfTrust', {})
-            cot.setdefault('inputs', {})['docker-image'] = {"task-reference": "<docker-image>"}
-        yield job
-
-
-@transforms.add
 def validate_again(config, jobs):
     for job in jobs:
         validate_schema(l10n_description_schema, job,
                         "In job {!r}:".format(job.get('name', 'unknown')))
         yield job
 
 
 @transforms.add
--- a/taskcluster/taskgraph/transforms/partials.py
+++ b/taskcluster/taskgraph/transforms/partials.py
@@ -105,19 +105,16 @@ def make_task_description(config, jobs):
                 partial_info['product'] = builds[build]['product']
             if 'previousVersion' in builds[build]:
                 partial_info['previousVersion'] = builds[build]['previousVersion']
             if 'previousBuildNumber' in builds[build]:
                 partial_info['previousBuildNumber'] = builds[build]['previousBuildNumber']
             extra['funsize']['partials'].append(partial_info)
             update_number += 1
 
-        cot = extra.setdefault('chainOfTrust', {})
-        cot.setdefault('inputs', {})['docker-image'] = {"task-reference": "<docker-image>"}
-
         mar_channel_id = None
         if config.params['project'] == 'mozilla-beta':
             if 'devedition' in label:
                 mar_channel_id = 'firefox-mozilla-aurora'
             else:
                 mar_channel_id = 'firefox-mozilla-beta'
         elif config.params['project'] == 'mozilla-release':
             mar_channel_id = 'firefox-mozilla-release'
--- a/taskcluster/taskgraph/transforms/repackage.py
+++ b/taskcluster/taskgraph/transforms/repackage.py
@@ -158,19 +158,16 @@ def make_job_description(config, jobs):
             else:
                 raise NotImplementedError(
                     'Unsupported build_platform: "{}"'.format(build_platform)
                 )
 
             run['tooltool-downloads'] = 'internal'
             worker['docker-image'] = {"in-tree": "desktop-build"}
 
-            cot = job.setdefault('extra', {}).setdefault('chainOfTrust', {})
-            cot.setdefault('inputs', {})['docker-image'] = {"task-reference": "<docker-image>"}
-
         description = (
             "Repackaging for locale '{locale}' for build '"
             "{build_platform}/{build_type}'".format(
                 locale=attributes.get('locale', 'en-US'),
                 build_platform=attributes.get('build_platform'),
                 build_type=attributes.get('build_type')
             )
         )
--- a/taskcluster/taskgraph/transforms/task.py
+++ b/taskcluster/taskgraph/transforms/task.py
@@ -1557,16 +1557,29 @@ def build_task(config, tasks):
             'task': task_def,
             'dependencies': task.get('dependencies', {}),
             'attributes': attributes,
             'optimization': task.get('optimization', None),
         }
 
 
 @transforms.add
+def chain_of_trust(config, tasks):
+    for task in tasks:
+        if task['task'].get('payload', {}).get('features', {}).get('chainOfTrust'):
+            image = task.get('dependencies', {}).get('docker-image')
+            if image:
+                cot = task['task'].setdefault('extra', {}).setdefault('chainOfTrust', {})
+                cot.setdefault('inputs', {})['docker-image'] = {
+                    'task-reference': '<docker-image>'
+                }
+        yield task
+
+
+@transforms.add
 def check_task_identifiers(config, tasks):
     """Ensures that all tasks have well defined identifiers:
        ^[a-zA-Z0-9_-]{1,22}$
     """
     e = re.compile("^[a-zA-Z0-9_-]{1,22}$")
     for task in tasks:
         for attr in ('workerType', 'provisionerId'):
             if not e.match(task['task'][attr]):