130 строки
5.2 KiB
YAML
130 строки
5.2 KiB
YAML
#-----------------------------------------------------------------------------------------------
|
|
# Taskcluster worker settings.
|
|
# For development, keep the test-dummy-* and dummy-worker-* convention.
|
|
# In production, follow the production conventions.
|
|
#-----------------------------------------------------------------------------------------------
|
|
provisioner_id: proj-deepspeech
|
|
worker_group: proj-deepspeech
|
|
worker_type: ds-scriptworker
|
|
taskcluster_root_url: https://community-tc.services.mozilla.com/
|
|
|
|
# worker_id will default to env['SCRIPTWORKER_WORKER_ID'] if not set, for CloudOps deployment.
|
|
# We may be able to remove that default if we don't use CloudOps deployment for scriptworker
|
|
# instances.
|
|
worker_id: ds-scriptworker-1
|
|
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# Taskcluster credentials.
|
|
# Uncomment and edit to specify the taskcluster credentials here.
|
|
# Taskcluster credentials can also be set in secrets.json, $HOME/.scriptworker,
|
|
# /etc/.scriptworker, or the environment variables TASKCLUSTER_ACCESS_TOKEN,
|
|
# TASKCLUSTER_CLIENT_ID, and TASKCLUSTER_CERITIFICATE.
|
|
#-----------------------------------------------------------------------------------------------
|
|
# credentials:
|
|
# clientId:
|
|
# accessToken:
|
|
# certificate: ...
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# Task configs
|
|
#-----------------------------------------------------------------------------------------------
|
|
|
|
# The timeouts are in seconds.
|
|
artifact_upload_timeout: 1200
|
|
task_max_timeout: 1200
|
|
|
|
# This is the command line to execute the task.
|
|
task_script: ["python3", "script.py", "config.json"]
|
|
|
|
# debug logging?
|
|
verbose: true
|
|
|
|
# In tier 1 production, these should all be true.
|
|
sign_chain_of_trust: false
|
|
verify_chain_of_trust: false
|
|
verify_cot_signature: false
|
|
# Chain of Trust job type, e.g. signing
|
|
cot_job_type: signing
|
|
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# Scriptworker paths.
|
|
#-----------------------------------------------------------------------------------------------
|
|
# Scriptworker logs go here; this is a long-lived directory.
|
|
log_dir: "/tmp/log"
|
|
|
|
# work_dir and artifact_dir will be nuked before every task run.
|
|
work_dir: "/tmp/work"
|
|
artifact_dir: "/tmp/artifact"
|
|
|
|
# task_log_dir should be a subdirectory of artifact_dir; its relative path will be the same
|
|
# as the log artifacts in taskcluster (i.e., public/logs).
|
|
# Set this to private/... if the logs shouldn't be publicly visible.
|
|
task_log_dir: "/tmp/artifact/public/logs"
|
|
|
|
|
|
ed25519_private_key_path: "/tmp/my_privkey.asc"
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# GPG and git settings.
|
|
# These must be set, but they're not used if sign_chain_of_trust, verify_chain_of_trust,
|
|
# and verify_cot_signature are all false.
|
|
#-----------------------------------------------------------------------------------------------
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# Valid artifact rules.
|
|
# This is a list of dictionaries. Each dictionary specifies schemes, netlocs, and path_regexes.
|
|
# All valid artifact downloads should match these. `filepath` must be specified in the
|
|
# path_regexes.
|
|
#
|
|
# If `taskId` is specified in the path_regex, it must be in task.dependencies, the decision task,
|
|
# or an upstream chain of trust task.
|
|
#-----------------------------------------------------------------------------------------------
|
|
# valid_artifact_rules:
|
|
# netlocs:
|
|
# - queue.taskcluster.net
|
|
# path_regexes:
|
|
# - "^/v1/task/(?P<taskId>[^/]+)(/runs/\\d+)?/artifacts/(?P<filepath>.*)$"
|
|
# schemes:
|
|
# - https
|
|
|
|
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# These are allowlists for docker images that are based in docker hub.
|
|
#-----------------------------------------------------------------------------------------------
|
|
# docker_image_allowlists:
|
|
# decision:
|
|
# - "sha256:31035ed23eba3ede02b988be39027668d965b9fc45b74b932b2338a4e7936cf9"
|
|
# docker-image:
|
|
# - "sha256:74c5a18ce1768605ce9b1b5f009abac1ff11b55a007e2d03733cd6e95847c747"
|
|
|
|
|
|
#-----------------------------------------------------------------------------------------------
|
|
# gpg_homedirs specifies the layout of cot-gpg-keys.git
|
|
# Each key is a top level directory.
|
|
#
|
|
# `type: flat` means scriptworker will sign each pubkey after importing, making them valid.
|
|
#
|
|
# `type: signed` means scriptworker will sign and trust each pubkey in the `trusted`
|
|
# subdirectory, then import the pubkeys in the `valid` subdirectory without trusting or signing.
|
|
# The expectation is one of the keys in the `trusted` subdirectory has already signed the keys
|
|
# in the `valid` subdirectory.
|
|
#
|
|
# `ignore_suffixes` is a list of file suffixes to ignore when importing keys.
|
|
#-----------------------------------------------------------------------------------------------
|
|
# gpg_homedirs:
|
|
# docker-worker:
|
|
# type: flat
|
|
# ignore_suffixes:
|
|
# - .md
|
|
# generic-worker:
|
|
# type: flat
|
|
# ignore_suffixes:
|
|
# - .md
|
|
# scriptworker:
|
|
# type: signed
|
|
# ignore_suffixes:
|
|
# - .md
|