Move taskcluster secrets into appropriate mach commands.

2025-08-03 12:40:06 +01:00 · 2019-05-02 09:50:55 -04:00 · 2019-05-02 09:50:55 -04:00 · dbdbbeb132
commit dbdbbeb132
parent e0e8f64f54
3 changed files with 59 additions and 44 deletions
--- a/etc/taskcluster/decision_task.py
+++ b/etc/taskcluster/decision_task.py
@ -282,15 +282,13 @@ def android_nightly(job):
        android_build_task("Release build")
        .with_treeherder("Android " + details[job]["name"], "Nightly")
        .with_features("taskclusterProxy")
        .with_scopes("secrets:get:project/servo/s3-upload")
        .with_script("""
            ./mach build {flag} --release
            ./mach package {flag} --release --maven
-        """.format(flag=details[job]["mach_flag"])
+            ./mach upload-nightly android --secret-from-taskcluster
-        .with_s3_upload_secret()
+            ./mach upload-nightly maven --secret-from-taskcluster
-        .with_script("""
+        """.format(flag=details[job]["mach_flag"]))
            ./mach upload-nightly android
            ./mach upload-nightly maven
        """)
        .with_artifacts(
            "/repo/target/android/%s/release/servoapp.apk" % details[job]["target"],
            "/repo/target/android/%s/release/servoview.aar" % details[job]["target"],
@ -397,10 +395,10 @@ def windows_nightly():
    return (
        windows_build_task("Release build")
        .with_treeherder("Windows x64", "Nightly")
        .with_scopes("secrets:get:project/servo/s3-upload")
        .with_script("mach build --release",
-                     "mach package --release")
+                     "mach package --release",
-        .with_s3_upload_secret()
+                     "mach upload-nightly windows-msvc --secret-from-taskcluster")
        .with_script("mach upload-nightly windows-msvc")
        .with_artifacts("repo/target/release/msi/Servo.exe",
                        "repo/target/release/msi/Servo.zip")
        .find_or_create("build.windows_x64_nightly." + CONFIG.git_sha)
@ -412,15 +410,13 @@ def linux_nightly():
        linux_build_task("Nightly build and upload")
        .with_treeherder("Linux x64", "Nightly")
        .with_features("taskclusterProxy")
        .with_scopes("secrets:get:project/servo/s3-upload")
        # Not reusing the build made for WPT because it has debug assertions
-        .with_script("""
+        .with_script(
-            ./mach build --release
+            "./mach build --release",
-            ./mach package --release
+            "./mach package --release",
-        """)
+            "./mach upload-nightly linux --secret-from-taskcluster",
-        .with_s3_upload_secret()
+        )
        .with_script("""
            ./mach upload-nightly linux
        """)
        .with_artifacts("/repo/target/release/servo-tech-demo.tar.gz")
        .find_or_create("build.linux_x64_nightly" + CONFIG.git_sha)
    )
@ -452,14 +448,17 @@ def macos_nightly():
        macos_build_task("Release build")
        .with_treeherder("macOS x64", "Nightly")
        .with_features("taskclusterProxy")
-        .with_script("""
+        .with_scopes(
-            ./mach build --release
+            "secrets:get:project/servo/s3-upload",
-            ./mach package --release
+            "secrets:get:project/servo/github-homebrew-token",
-        """)
+            "secrets:get:project/servo/wpt-sync",
-        .with_s3_upload_secret()
+        )
-        .with_script("./mach upload-nightly mac")
+        .with_script(
            "./mach build --release",
            "./mach package --release",
            "./mach upload-nightly mac --secret-from-taskcluster",
        )
        .with_artifacts("repo/target/release/servo-tech-demo.dmg")
        .with_scopes("secrets:get:project/servo/wpt-sync")
        .with_env(PY2="""if 1:
            import urllib, json
            url = "http://taskcluster/secrets/v1/secret/project/servo/wpt-sync"
--- a/etc/taskcluster/decisionlib.py
+++ b/etc/taskcluster/decisionlib.py
@ -173,22 +173,6 @@ class Task:
        self.treeherder_required = False  # Taken care of
        return self
    def with_s3_upload_secret(self):
        return (
            self
            .with_scopes("secrets:get:project/servo/s3-upload")
            .with_env(PY=r"""if 1:
                import urllib, json, os
                from os.path import expanduser, join
                url = "http://taskcluster/secrets/v1/secret/project/servo/s3-upload"
                secret = json.load(urllib.urlopen(url))["secret"]
                aws_dir = expanduser("~/.aws")
                os.mkdir(aws_dir)
                open(join(aws_dir, "credentials"), "w").write(secret["credentials_file"])
            """)
            .with_script('python -c "$PY"')
        )
    def build_worker_payload(self):  # pragma: no cover
        """
        Overridden by sub-classes to return a dictionary in a worker-specific format,
--- a/python/servo/package_commands.py
+++ b/python/servo/package_commands.py
@ -19,6 +19,7 @@ import shutil
 import subprocess
 import sys
 import tempfile
 import urllib
 from mach.decorators import (
    CommandArgument,
@ -538,9 +539,25 @@ class PackageCommands(CommandBase):
    @CommandArgument('platform',
                     choices=PACKAGES.keys(),
                     help='Package platform type to upload')
-    def upload_nightly(self, platform):
+    @CommandArgument('--secret-from-taskcluster',
                     action='store_true',
                     help='Retrieve the appropriate secrets from taskcluster.')
    def upload_nightly(self, platform, secret_from_taskcluster):
        import boto3
        def get_taskcluster_secret(name):
            url = "http://taskcluster/secrets/v1/secret/project/servo/" + name
            return json.load(urllib.urlopen(url))["secret"]
        def get_s3_secret():
            aws_access_key = None
            aws_secret_access_key = None
            if secret_from_taskcluster:
                secret = get_taskcluster_secret("s3-upload-credentials")
                aws_access_key = secret["aws_access_key_id"]
                aws_secret_access_key = secret["aws_secret_access_key"]
            return (aws_access_key, aws_secret_access_key)
        def nightly_filename(package, timestamp):
            return '{}-{}'.format(
                timestamp.isoformat() + 'Z',  # The `Z` denotes UTC
@ -548,7 +565,12 @@ class PackageCommands(CommandBase):
            )
        def upload_to_s3(platform, package, timestamp):
-            s3 = boto3.client('s3')
+            (aws_access_key, aws_secret_access_key) = get_s3_secret()
            s3 = boto3.client(
                's3',
                aws_access_key_id=aws_access_key,
                aws_secret_access_key=aws_secret_access_key
            )
            BUCKET = 'servo-builds'
            nightly_dir = 'nightly/{}'.format(platform)
@ -565,7 +587,12 @@ class PackageCommands(CommandBase):
            s3.copy(copy_source, BUCKET, latest_upload_key)
        def update_maven(directory):
-            s3 = boto3.client('s3')
+            (aws_access_key, aws_secret_access_key) = get_s3_secret()
            s3 = boto3.client(
                's3',
                aws_access_key_id=aws_access_key,
                aws_secret_access_key=aws_secret_access_key
            )
            BUCKET = 'servo-builds'
            nightly_dir = 'nightly/maven'
@ -626,13 +653,18 @@ class PackageCommands(CommandBase):
                    '--message=Version Bump: {}'.format(brew_version),
                ])
                if secret_from_taskcluster:
                    token = get_taskcluster_secret('github-homebrew-token')["token"]
                else:
                    token = os.environ['GITHUB_HOMEBREW_TOKEN']
                push_url = 'https://{}@github.com/servo/homebrew-servo.git'
                # TODO(aneeshusa): Use subprocess.DEVNULL with Python 3.3+
                with open(os.devnull, 'wb') as DEVNULL:
                    call_git([
                        'push',
                        '-qf',
-                        push_url.format(os.environ['GITHUB_HOMEBREW_TOKEN']),
+                        push_url.format(token),
                        'master',
                    ], stdout=DEVNULL, stderr=DEVNULL)