diff options
| author | Simon Sapin <simon.sapin@exyr.org> | 2018-10-30 10:10:29 +0100 |
|---|---|---|
| committer | Simon Sapin <simon.sapin@exyr.org> | 2018-10-30 13:25:19 +0100 |
| commit | 46f9312d0cd7db4f7705e2552ed74186d7ee027e (patch) | |
| tree | 634a3683339482feb268c51f691b40c5db217c2e | |
| parent | a5cce280f1e295805281c50029dd726f871ce0f4 (diff) | |
| download | servo-46f9312d0cd7db4f7705e2552ed74186d7ee027e.tar.gz servo-46f9312d0cd7db4f7705e2552ed74186d7ee027e.zip | |
Taskcluster: use a dedicated role for scopes granted to decision tasks
| -rw-r--r-- | .taskcluster.yml | 8 | ||||
| -rw-r--r-- | etc/taskcluster/README.md | 12 |
2 files changed, 13 insertions, 7 deletions
diff --git a/.taskcluster.yml b/.taskcluster.yml index 0dc9af93381..7087419c473 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -23,14 +23,8 @@ tasks: owner: &task_owner ${event.pusher.name}@users.noreply.github.com source: &task_source ${event.compare} scopes: - - "queue:scheduler-id:taskcluster-github" - # Granted to role "repo:github.com/servo/servo:branch:*" - - "queue:create-task:highest:aws-provisioner-v1/servo-*" - - "queue:create-task:highest:proj-servo/*" - - "queue:route:index.project.servo.servo.*" - - "docker-worker:cache:servo-*" - - "docker-worker:capability:privileged" + - "assume:project:servo:decision-task/trusted" payload: maxRunTime: {$eval: '20 * 60'} diff --git a/etc/taskcluster/README.md b/etc/taskcluster/README.md index e89b10a4cd1..3c8bb4bfe81 100644 --- a/etc/taskcluster/README.md +++ b/etc/taskcluster/README.md @@ -149,12 +149,24 @@ Servo admins have scope `auth:update-role:repo:github.com/servo/*` which allows to edit that role in the web UI and grant more scopes to these tasks (if that person has the new scope themselves). +The [`project:servo:decision-task/base`][base] +and [`project:servo:decision-task/trusted`][trusted] roles +centralize the set of scopes granted to the decision task. +This avoids maintaining them seprately in the `repo:…` roles, +in the `hook-id:…` role, +and in the `taskcluster.yml` file. +Only the `base` role is granted to tasks executed when a pull request is opened. +These tasks are less trusted because they run before the code has been reviewed, +and anyone can open a PR. + [Scopes]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/scopes [web UI]: https://tools.taskcluster.net/ [credentials]: https://tools.taskcluster.net/credentials [Roles]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/roles [expand]: https://docs.taskcluster.net/docs/reference/platform/taskcluster-auth/docs/roles [branches]: https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fservo%2Fservo%3Abranch%3A* +[base]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Fbase +[trusted]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Ftrusted ## Daily tasks |