gecko-dev/.taskcluster.yml
Jonas Finnemann Jensen 127e057f26 Bug 1324413 - Lock image content hash for decision task; r=dustin
This will make harder to falsify a decision task.
Notably our validation code only needs to verify that the definition of the
decision task as given here matches what is used in the task definition in
the Chain-Of-Trust artifact, in order to prove that the decision task is
a result of what ran in the tree.

MozReview-Commit-ID: 4SRO7G1nyyL

--HG--
extra : rebase_source : a3b062c5adfa3c2c96a220adf9bd5d2f50d294aa
2016-12-15 17:16:14 -08:00

126 lines
4.4 KiB
YAML

---
version: 0
metadata:
name: 'Taskcluster tasks for Gecko'
description: "The taskcluster task graph for Gecko trees"
owner: mozilla-taskcluster-maintenance@mozilla.com
source: {{{source}}}
scopes:
# Note the below scopes are insecure however these get overriden on the server
# side to whatever scopes are set by mozilla-taskcluster.
- queue:*
- docker-worker:*
- scheduler:*
# Available mustache parameters (see the mozilla-taskcluster source):
#
# - owner: push user (email address)
# - source: URL of this YAML file
# - url: repository URL
# - project: alias for the destination repository (basename of
# the repo url)
# - level: SCM level of the destination repository
# (1 = try, 3 = core)
# - revision: (short) hg revision of the head of the push
# - revision_hash: (long) hg revision of the head of the push
# - comment: comment of the push
# - pushlog_id: id in the pushlog table of the repository
#
# and functions:
# - as_slugid: convert a label into a slugId
# - from_now: generate a timestamp at a fixed offset from now
# The resulting tasks' taskGroupId will be equal to the taskId of the first
# task listed here, which should be the decision task. This gives other tools
# an easy way to determine the ID of the decision task that created a
# particular group.
tasks:
- taskId: '{{#as_slugid}}decision task{{/as_slugid}}'
task:
created: '{{now}}'
deadline: '{{#from_now}}1 day{{/from_now}}'
expires: '{{#from_now}}365 day{{/from_now}}'
metadata:
owner: mozilla-taskcluster-maintenance@mozilla.com
source: {{{source}}}
name: "Gecko Decision Task"
description: |
The task that creates all of the other tasks in the task graph
workerType: "gecko-decision"
provisionerId: "aws-provisioner-v1"
tags:
createdForUser: {{owner}}
scopes:
# Bug 1269443: cache scopes, etc. must be listed explicitly
- "docker-worker:cache:level-{{level}}-*"
- "docker-worker:cache:tooltool-cache"
# mozilla-taskcluster will append the appropriate assume:repo:<repo>
# scope here.
routes:
- "index.gecko.v2.{{project}}.latest.firefox.decision"
- "tc-treeherder.v2.{{project}}.{{revision}}.{{pushlog_id}}"
- "tc-treeherder-stage.v2.{{project}}.{{revision}}.{{pushlog_id}}"
payload:
env:
# checkout-gecko uses these to check out the source; the inputs
# to `mach taskgraph decision` are all on the command line.
GECKO_BASE_REPOSITORY: 'https://hg.mozilla.org/mozilla-unified'
GECKO_HEAD_REPOSITORY: '{{{url}}}'
GECKO_HEAD_REF: '{{revision}}'
GECKO_HEAD_REV: '{{revision}}'
HG_STORE_PATH: /home/worker/checkouts/hg-store
cache:
level-{{level}}-checkouts: /home/worker/checkouts
features:
taskclusterProxy: true
chainOfTrust: true
# Note: This task is built server side without the context or tooling that
# exist in tree so we must hard code the hash
image: 'taskcluster/decision@sha256:0f59f922d86c471e208b7ea08ab077fc68c3920ed5e6895d69a23e8f3457dc24'
maxRunTime: 1800
# TODO use mozilla-unified for the base repository once the tc-vcs
# tar.gz archives are created or tc-vcs isn't being used.
command:
- /home/worker/bin/run-task
- '--vcs-checkout=/home/worker/checkouts/gecko'
- '--'
- bash
- -cx
- >
cd /home/worker/checkouts/gecko &&
ln -s /home/worker/artifacts artifacts &&
./mach --log-no-times taskgraph decision
--pushlog-id='{{pushlog_id}}'
--pushdate='{{pushdate}}'
--project='{{project}}'
--message={{#shellquote}}{{{comment}}}{{/shellquote}}
--owner='{{owner}}'
--level='{{level}}'
--base-repository='https://hg.mozilla.org/mozilla-central'
--head-repository='{{{url}}}'
--head-ref='{{revision}}'
--head-rev='{{revision}}'
--revision-hash='{{revision_hash}}'
artifacts:
'public':
type: 'directory'
path: '/home/worker/artifacts'
expires: '{{#from_now}}364 days{{/from_now}}'
extra:
treeherder:
symbol: D