Taskcluster: Don’t attempt to write to the index from unprivileged tasks

This commit is contained in:
Simon Sapin 2019-01-07 15:06:56 +01:00
parent bc366d01a8
commit 7a628080ec
3 changed files with 7 additions and 5 deletions

View file

@ -74,6 +74,7 @@ def main(task_for):
elif task_for == "github-pull-request":
CONFIG.treeherder_repository_name = "servo-prs"
CONFIG.index_read_only = True
# We want the merge commit that GitHub creates for the PR.
# The event does contain a `pull_request.merge_commit_sha` key, but it is wrong:

View file

@ -38,6 +38,7 @@ class Config:
def __init__(self):
self.task_name_template = "%s"
self.index_prefix = "garbage.servo-decisionlib"
self.index_read_only = False
self.scopes_for_all_subtasks = []
self.routes_for_all_subtasks = []
self.docker_image_buil_worker_type = None
@ -265,8 +266,8 @@ class Task:
except taskcluster.TaskclusterRestFailure as e:
if e.status_code != 404: # pragma: no cover
raise
# FIXME: skip for untrusted tasks that dont have the scope to do this?
self.routes.append("index.%s.%s" % (CONFIG.index_prefix, index_path))
if not CONFIG.index_read_only:
self.routes.append("index.%s.%s" % (CONFIG.index_prefix, index_path))
task_id = self.create()
SHARED.found_or_created_indexed_tasks[index_path] = task_id

View file

@ -46,9 +46,6 @@ os.environ.update(**{k: k for k in "TASK_ID TASK_OWNER TASK_SOURCE GIT_URL GIT_S
os.environ["GIT_REF"] = "refs/heads/auto"
import decision_task
print("\n# PR:")
decision_task.main("github-pull-request")
print("\n# Push:")
decision_task.main("github-push")
@ -65,4 +62,7 @@ decision_task.main("github-push")
print("\n# Daily:")
decision_task.main("daily")
print("\n# PR:")
decision_task.main("github-pull-request")
print()