Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-06-06 16:45:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

Taskcluster: use a dedicated role for scopes granted to decision tasks

Browse source
This commit is contained in:
Simon Sapin 2018-10-30 10:10:29 +01:00
parent a5cce280f1
commit 46f9312d0c
2 changed files with 13 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.taskcluster.yml
View file

@ -23,14 +23,8 @@ tasks:
owner: &task_owner ${event.pusher.name}@users.noreply.github.com owner: &task_owner ${event.pusher.name}@users.noreply.github.com
source: &task_source ${event.compare} source: &task_source ${event.compare}
scopes: scopes:
- "queue:scheduler-id:taskcluster-github"
# Granted to role "repo:github.com/servo/servo:branch:*" # Granted to role "repo:github.com/servo/servo:branch:*"
- "queue:create-task:highest:aws-provisioner-v1/servo-*" - "assume:project:servo:decision-task/trusted"
- "queue:create-task:highest:proj-servo/*"
- "queue:route:index.project.servo.servo.*"
- "docker-worker:cache:servo-*"
- "docker-worker:capability:privileged"
payload: payload:
maxRunTime: {$eval: '20 * 60'} maxRunTime: {$eval: '20 * 60'}

12
etc/taskcluster/README.md
View file

@ -149,12 +149,24 @@ Servo admins have scope `auth:update-role:repo:github.com/servo/*` which allows
to edit that role in the web UI and grant more scopes to these tasks to edit that role in the web UI and grant more scopes to these tasks
(if that person has the new scope themselves). (if that person has the new scope themselves).
The [`project:servo:decision-task/base`][base]
and [`project:servo:decision-task/trusted`][trusted] roles
centralize the set of scopes granted to the decision task.
This avoids maintaining them seprately in the `repo:…` roles,
in the `hook-id:…` role,
and in the `taskcluster.yml` file.
Only the `base` role is granted to tasks executed when a pull request is opened.
These tasks are less trusted because they run before the code has been reviewed,
and anyone can open a PR.
[Scopes]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/scopes [Scopes]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/scopes
[web UI]: https://tools.taskcluster.net/ [web UI]: https://tools.taskcluster.net/
[credentials]: https://tools.taskcluster.net/credentials [credentials]: https://tools.taskcluster.net/credentials
[Roles]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/roles [Roles]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/roles
[expand]: https://docs.taskcluster.net/docs/reference/platform/taskcluster-auth/docs/roles [expand]: https://docs.taskcluster.net/docs/reference/platform/taskcluster-auth/docs/roles
[branches]: https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fservo%2Fservo%3Abranch%3A* [branches]: https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fservo%2Fservo%3Abranch%3A*
[base]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Fbase
[trusted]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Ftrusted
## Daily tasks ## Daily tasks