Bug 1911193 - update known certificate transparency logs in periodic-updates task r=leplatrem

Differential Revision: https://phabricator.services.mozilla.com/D218370

taskcluster/docker/periodic-updates/runme.sh

@@ -47,6 +47,11 @@ then
   PARAMS="${PARAMS} --mobile-experiments"
 fi
 
+if [ -n "${DO_CT_LOGS}" ]
+then
+  PARAMS="${PARAMS} --ct-logs"
+fi
+
 if [ -n "${DONTBUILD}" ]
 then
   PARAMS="${PARAMS} -d"

taskcluster/docker/periodic-updates/scripts/periodic_file_updates.sh

@@ -14,7 +14,7 @@ Usage: $(basename "$0") [-p product]
            # Use archive.m.o instead of the taskcluster index to get xpcshell
            [--use-ftp-builds]
            # One (or more) of the following actions must be specified.
-           --hsts | --hpkp | --remote-settings | --suffix-list | --mobile-experiments
+           --hsts | --hpkp | --remote-settings | --suffix-list | --mobile-experiments | --ct-logs
            -b branch
 
 EOF
@@ -80,6 +80,9 @@ FENIX_INITIAL_EXPERIMENTS="mobile/android/fenix/app/src/main/res/raw/initial_exp
 FOCUS_INITIAL_EXPERIMENTS="mobile/android/focus-android/app/src/main/res/raw/initial_experiments.json"
 MOBILE_EXPERIMENTS_UPDATED=false
 
+DO_CT_LOGS=false
+CT_LOG_UPDATE_SCRIPT="${SCRIPTDIR}/getCTKnownLogs.py"
+
 ARTIFACTS_DIR="${ARTIFACTS_DIR:-.}"
 # Defaults
 HSTS_DIFF_ARTIFACT="${ARTIFACTS_DIR}/${HSTS_DIFF_ARTIFACT:-"nsSTSPreloadList.diff"}"
@@ -412,6 +415,11 @@ function compare_mobile_experiments() {
   fi
 }
 
+function update_ct_logs() {
+  echo "INFO: Updating CT logs..."
+  "${REPODIR}"/mach python "${CT_LOG_UPDATE_SCRIPT}"
+}
+
 # Clones an hg repo
 function clone_repo {
   cd "${BASEDIR}"
@@ -499,6 +507,7 @@ while [ $# -gt 0 ]; do
     --remote-settings) DO_REMOTE_SETTINGS=true ;;
     --suffix-list) DO_SUFFIX_LIST=true ;;
     --mobile-experiments) DO_MOBILE_EXPERIMENTS=true ;;
+    --ct-logs) DO_CT_LOGS=true ;;
     -r) REPODIR="$2"; shift ;;
     --use-mozilla-central) USE_MC=true ;;
     --use-ftp-builds) USE_TC=false ;;
@@ -517,7 +526,7 @@ if [ "${BRANCH}" == "" ]; then
 fi
 
 # Must choose at least one update action.
-if [ "$DO_HSTS" == "false" ] && [ "$DO_HPKP" == "false" ] && [ "$DO_REMOTE_SETTINGS" == "false" ] && [ "$DO_SUFFIX_LIST" == "false" ] && [ "$DO_MOBILE_EXPERIMENTS" == false ]
+if [ "$DO_HSTS" == "false" ] && [ "$DO_HPKP" == "false" ] && [ "$DO_REMOTE_SETTINGS" == "false" ] && [ "$DO_SUFFIX_LIST" == "false" ] && [ "$DO_MOBILE_EXPERIMENTS" == false ] && [ "$DO_CT_LOGS" == false ]
 then
   echo "Error: you must specify at least one action from: --hsts, --hpkp, --remote-settings, or --suffix-list" >&2
   usage
@@ -603,9 +612,12 @@ if [ "${DO_MOBILE_EXPERIMENTS}" == "true" ]; then
     MOBILE_EXPERIMENTS_UPDATED=true
   fi
 fi
+if [ "${DO_CT_LOGS}" == "true" ]; then
+  update_ct_logs
+fi
 
 
-if [ "${HSTS_UPDATED}" == "false" ] && [ "${HPKP_UPDATED}" == "false" ] && [ "${REMOTE_SETTINGS_UPDATED}" == "false" ] && [ "${SUFFIX_LIST_UPDATED}" == "false" ] && [ "${MOBILE_EXPERIMENTS_UPDATED}" == "false" ]; then
+if [ "${HSTS_UPDATED}" == "false" ] && [ "${HPKP_UPDATED}" == "false" ] && [ "${REMOTE_SETTINGS_UPDATED}" == "false" ] && [ "${SUFFIX_LIST_UPDATED}" == "false" ] && [ "${MOBILE_EXPERIMENTS_UPDATED}" == "false" ] && [ "${DO_CT_LOGS}" == "false" ]; then
   echo "INFO: no updates required. Exiting."
   exit 0
 else
@@ -646,6 +658,13 @@ then
   COMMIT_MESSAGE="${COMMIT_MESSAGE} mobile-experiments"
 fi
 
+if [ "${DO_CT_LOGS}" == "true" ]
+then
+  # CT log files are already updated in-place in the tree, so
+  # there's no need to stage them.
+  COMMIT_MESSAGE="${COMMIT_MESSAGE} ct-logs"
+fi
+
 if [ ${DONTBUILD} == true ]; then
   COMMIT_MESSAGE="${COMMIT_MESSAGE} - (DONTBUILD)"
 fi

taskcluster/kinds/repo-update/kind.yml

@@ -32,6 +32,10 @@ task-defaults:
                 by-project:
                     mozilla-(central|beta): "1"
                     default: ""
+            DO_CT_LOGS:
+                by-project:
+                    mozilla-(central|beta|esr.*): "1"
+                    default: ""
             USE_MOZILLA_CENTRAL:
                 by-project:
                     mozilla-central: "1"