Taskcluster: Don’t attempt to write to the index from unprivileged tasks

etc/taskcluster/decision_task.py

@@ -74,6 +74,7 @@ def main(task_for):
 
     elif task_for == "github-pull-request":
         CONFIG.treeherder_repository_name = "servo-prs"
+        CONFIG.index_read_only = True
 
         # We want the merge commit that GitHub creates for the PR.
         # The event does contain a `pull_request.merge_commit_sha` key, but it is wrong:

etc/taskcluster/decisionlib.py

@@ -38,6 +38,7 @@ class Config:
     def __init__(self):
         self.task_name_template = "%s"
         self.index_prefix = "garbage.servo-decisionlib"
+        self.index_read_only = False
         self.scopes_for_all_subtasks = []
         self.routes_for_all_subtasks = []
         self.docker_image_buil_worker_type = None
@@ -265,8 +266,8 @@ class Task:
         except taskcluster.TaskclusterRestFailure as e:
             if e.status_code != 404:  # pragma: no cover
                 raise
-            # FIXME: skip for untrusted tasks that don’t have the scope to do this?
-            self.routes.append("index.%s.%s" % (CONFIG.index_prefix, index_path))
+            if not CONFIG.index_read_only:
+                self.routes.append("index.%s.%s" % (CONFIG.index_prefix, index_path))
             task_id = self.create()
 
         SHARED.found_or_created_indexed_tasks[index_path] = task_id

etc/taskcluster/mock.py

@@ -46,9 +46,6 @@ os.environ.update(**{k: k for k in "TASK_ID TASK_OWNER TASK_SOURCE GIT_URL GIT_S
 os.environ["GIT_REF"] = "refs/heads/auto"
 import decision_task
 
-print("\n# PR:")
-decision_task.main("github-pull-request")
-
 print("\n# Push:")
 decision_task.main("github-push")
 
@@ -65,4 +62,7 @@ decision_task.main("github-push")
 print("\n# Daily:")
 decision_task.main("daily")
 
+print("\n# PR:")
+decision_task.main("github-pull-request")
+
 print()