diff --git a/.taskcluster.yml b/.taskcluster.yml index d633736d0..9edb997aa 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -43,20 +43,15 @@ tasks: then: ${event.pull_request.base.repo.full_name} else: ${event.repository.full_name} - is_repo_trusted: + trust_level: # Pull requests on main repository can't be trusted because anybody can open a PR on it, without a review $if: 'tasks_for in ["github-push", "github-release", "cron"] && event.repository.html_url == "https://github.com/mozilla-mobile/fenix"' - then: true - else: false + then: 3 + else: 1 in: $let: - decision_worker_type: - $if: 'is_repo_trusted' - then: mobile-3-decision - else: mobile-1-decision - track: - $if: 'is_repo_trusted' + $if: 'trust_level == 3' then: 'nightly' else: 'staging-nightly' @@ -82,7 +77,7 @@ tasks: deadline: {$fromNow: '2 hours'} expires: ${expires_in} provisionerId: aws-provisioner-v1 - workerType: ${decision_worker_type} + workerType: mobile-${trust_level}-decision priority: ${tasks_priority} requires: all-completed # Must be explicit because of Chain of Trust retries: 5 @@ -106,6 +101,7 @@ tasks: SCHEDULER_ID: ${scheduler_id} TASK_ID: ${decision_task_id} TASKS_PRIORITY: ${tasks_priority} + TRUST_LEVEL: ${trust_level} features: taskclusterProxy: true extra: @@ -169,7 +165,7 @@ tasks: $mergeDeep: - {$eval: 'default_task_definition'} - scopes: - - $if: is_repo_trusted + - $if: 'trust_level == 3' then: assume:hook-id:project-mobile/fenix-nightly else: assume:hook-id:project-mobile/fenix-nightly-staging routes: diff --git a/automation/taskcluster/decision_task.py b/automation/taskcluster/decision_task.py index 63c862c12..f4ae9812a 100644 --- a/automation/taskcluster/decision_task.py +++ b/automation/taskcluster/decision_task.py @@ -37,6 +37,7 @@ BUILDER = TaskBuilder( scheduler_id=os.environ.get('SCHEDULER_ID', 'taskcluster-github'), tasks_priority=os.environ.get('TASKS_PRIORITY'), date_string=os.environ.get('BUILD_DATE'), + trust_level=os.environ.get('TRUST_LEVEL'), ) diff --git a/automation/taskcluster/lib/tasks.py b/automation/taskcluster/lib/tasks.py index acc2f340c..34f90ea9d 100644 --- a/automation/taskcluster/lib/tasks.py +++ b/automation/taskcluster/lib/tasks.py @@ -19,7 +19,7 @@ _OFFICIAL_REPO_URL = 'https://github.com/mozilla-mobile/fenix' class TaskBuilder(object): def __init__( self, task_id, repo_url, branch, commit, owner, source, scheduler_id, date_string, - tasks_priority='lowest' + tasks_priority='lowest', trust_level=1 ): self.task_id = task_id self.repo_url = repo_url @@ -30,6 +30,7 @@ class TaskBuilder(object): self.scheduler_id = scheduler_id self.tasks_priority = tasks_priority self.date = arrow.get(date_string) + self.trust_level = trust_level def craft_assemble_release_task(self, apks, is_staging=False): artifacts = { @@ -82,7 +83,6 @@ class TaskBuilder(object): ], artifacts=artifacts, routes=routes, - is_staging=is_staging, treeherder={ 'jobKind': 'build', 'machine': { @@ -231,7 +231,7 @@ class TaskBuilder(object): def _craft_build_ish_task( self, name, description, command, dependencies=None, artifacts=None, scopes=None, - routes=None, is_staging=True, treeherder=None + routes=None, treeherder=None ): dependencies = [] if dependencies is None else dependencies artifacts = {} if artifacts is None else artifacts @@ -269,7 +269,7 @@ class TaskBuilder(object): } return self._craft_default_task_definition( - 'mobile-1-b-fenix' if is_staging else 'mobile-3-b-fenix', + 'mobile-{}-b-fenix'.format(self.trust_level), 'aws-provisioner-v1', dependencies, routes,