Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-06-06 00:25:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Taskcluster: use a dedicated role for scopes granted to decision tasks

Browse source
This commit is contained in:
Simon Sapin 2018-10-30 10:10:29 +01:00
parent a5cce280f1
commit 46f9312d0c
2 changed files with 13 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.taskcluster.yml
View file

@ -23,14 +23,8 @@ tasks:
owner: &task_owner ${event.pusher.name}@users.noreply.github.com
source: &task_source ${event.compare}
scopes:
- "queue:scheduler-id:taskcluster-github"
# Granted to role "repo:github.com/servo/servo:branch:*"
- "queue:create-task:highest:aws-provisioner-v1/servo-*"
- "queue:create-task:highest:proj-servo/*"
- "queue:route:index.project.servo.servo.*"
- "docker-worker:cache:servo-*"
- "docker-worker:capability:privileged"
- "assume:project:servo:decision-task/trusted"
payload:
maxRunTime: {$eval: '20 * 60'}

12
etc/taskcluster/README.md
View file

@ -149,12 +149,24 @@ Servo admins have scope `auth:update-role:repo:github.com/servo/*` which allows
to edit that role in the web UI and grant more scopes to these tasks
(if that person has the new scope themselves).
The [`project:servo:decision-task/base`][base]
and [`project:servo:decision-task/trusted`][trusted] roles
centralize the set of scopes granted to the decision task.
This avoids maintaining them seprately in the `repo:…` roles,
in the `hook-id:…` role,
and in the `taskcluster.yml` file.
Only the `base` role is granted to tasks executed when a pull request is opened.
These tasks are less trusted because they run before the code has been reviewed,
and anyone can open a PR.
[Scopes]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/scopes
[web UI]: https://tools.taskcluster.net/
[credentials]: https://tools.taskcluster.net/credentials
[Roles]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/roles
[expand]: https://docs.taskcluster.net/docs/reference/platform/taskcluster-auth/docs/roles
[branches]: https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fservo%2Fservo%3Abranch%3A*
[base]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Fbase
[trusted]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Ftrusted
## Daily tasks