Skip to content

Bug 2006684 - add builddecisionscript#1412

Open
jcristau wants to merge 9 commits into
mozilla-releng:masterfrom
jcristau:builddecisionscript
Open

Bug 2006684 - add builddecisionscript#1412
jcristau wants to merge 9 commits into
mozilla-releng:masterfrom
jcristau:builddecisionscript

Conversation

@jcristau
Copy link
Copy Markdown
Contributor

@jcristau jcristau commented Mar 26, 2026
edited
Loading

Port the build-decision code to run as a scriptworker task.

The following changes have been made:

  • use taskgraph.util.keyed_by instead of a local copy
  • input is taken from fields in the task payload instead of either command-line arguments or the environment
  • we don't have a taskcluster proxy; instead we use temporary credentials obtained/maintained by scriptworker to create tasks / trigger hooks / fetch secrets
  • the CLI is modified to match other scriptworkers

Unlike other scriptworkers, we skip chain of trust verification.

@jcristau jcristau force-pushed the builddecisionscript branch 3 times, most recently from cd74711 to 3e75319 Compare March 26, 2026 18:06
@jcristau jcristau changed the title Add builddecisionscript Bug 2006684 - add builddecisionscript May 19, 2026
@jcristau jcristau force-pushed the builddecisionscript branch from a5a19fb to cbecacb Compare May 19, 2026 15:07
@bhearsum bhearsum mentioned this pull request May 19, 2026
Merged
@jcristau jcristau force-pushed the builddecisionscript branch from 47b9491 to 25f35d3 Compare May 26, 2026 09:40
@jcristau jcristau marked this pull request as ready for review May 26, 2026 09:41
@jcristau jcristau requested a review from a team as a code owner May 26, 2026 09:41
@jcristau
Copy link
Copy Markdown
Contributor Author

jcristau commented May 26, 2026

This depends on mozilla-releng/scriptworker#798 to get temporary tc credentials with the task's scopes.

@jcristau jcristau force-pushed the builddecisionscript branch from 016d35f to d35e8a4 Compare May 26, 2026 11:26
jcristau added 8 commits May 29, 2026 17:47
@jcristau
builddecisionscript: copy build-decision source (bug 2006684)
f0e0af2 
Copy the build-decision code from fxci-config as-is, at revision
6b1ea576b59f8436b28778d5ef2bdd09c80ec348, before adapting it to run
as a scriptworker task.
@jcristau
builddecisionscript: port to scriptworker (bug 2006684)
c1db9d1 
Port the build-decision code to run as a scriptworker task.

- rename the project from build-decision to builddecisionscript
- adapt the original env-var and cmdline based input to be passed
  through the scriptworker task payload instead
- add the usual scriptworker boilerplate
@jcristau
builddecisionscript: no level or trust domain (bug 2006684)
ebf4592 
We'll have a single worker pool here so override the default
scriptworker worker type/group/id.
@jcristau
builddecisionscript: use taskgraph.util.keyed_by (bug 2006684)
7bed2c9 
We can use taskgraph directly, no need to keep a copy of these
functions.
@jcristau
builddecisionscript: add to CI (bug 2006684)
63eeb7d
@jcristau
builddecisionscript: use TASKCLUSTER_CREDENTIALS_FD for TC operations…
d7db894 
… (bug 2006684)

There's no proxy in scriptworker, we talk to tc directly.  Use the
credentials fd passed by scriptworker for all taskcluster operations
(fetching secrets, triggering hooks, creating tasks).
@jcristau
builddecisionscript: coverage for non-404 error for .cron.yml (bug 20…
8335634 
…06684)
@jcristau
builddecisionscript: coverage for token in Repository.get_file (bug 2…
8b82445 
…006684)
@jcristau jcristau force-pushed the builddecisionscript branch from d35e8a4 to 8b82445 Compare May 29, 2026 15:48
bhearsum
bhearsum approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bhearsum bhearsum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the builddecision code itself, I mostly reviewed by comparing fxci-config's version to this, which looked sane.

Unlike other scriptworkers, we skip chain of trust verification.

This is presumably because there's nothing upstream to verify?

(This also makes me wonder: should CoT be verifying any aspect of build decision? I've always found it a bit weird that decision tasks and build-decision tasks don't have a formal link...)

@jcristau
Copy link
Copy Markdown
Contributor Author

jcristau commented Jun 2, 2026

For the builddecision code itself, I mostly reviewed by comparing fxci-config's version to this, which looked sane.

Unlike other scriptworkers, we skip chain of trust verification.

This is presumably because there's nothing upstream to verify?

Indeed.

(This also makes me wonder: should CoT be verifying any aspect of build decision? I've always found it a bit weird that decision tasks and build-decision tasks don't have a formal link...)

I don't think so? We rebuild the decision task's definition based on the repo contents, and there's not necessarily a build-decision task (particularly for github), so we can't really go past that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhearsum bhearsum bhearsum approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jcristau @bhearsum