In bug 1328719, we added support for rebuilding the decision/action task definition via json-e.
In bug 1459705, we're killing support for cot v1, which relied on docker sha allowlists and decision task command parsing. Because we no longer use the docker sha allowlists, let's remove this comment.
MozReview-Commit-ID: HntXmoSzUij
--HG--
extra : rebase_source : 3869737cc8b2cce75965235657c2a3bc427952df
For kind=hook, the spec doesn't include this value as it's untrustworthy.
For kind=task, it's still untrustworthy, but there is no privilege escalation
so that's not important. Still, it dramatically expands the size of the task
definition.
MozReview-Commit-ID: 6scQ2ZwxP10
--HG--
extra : rebase_source : 4dc34390a510091ddc26023755992995fe358e47
The inclusion of this scope limits the actions initiated within this decision
task's task group.
MozReview-Commit-ID: E5gP9UR3pdu
--HG--
extra : rebase_source : 335a4f3bb15bdf3a9bd9c75a692fabb1417a5461
As part of this we also change the cache name to ensure that
the new image uses a separate cache from the old image.
MozReview-Commit-ID: J4DmgupnyS
--HG--
extra : rebase_source : 44c0ee3de8b9a7a4854c462e2796662c998c02b0
The decision task is used for everything built as part of a push (for
mozilla-central, this is firefox, devedition and fennec, as well as tasks that
aren't strictly part of any product). Thus, having `firefox` encoded as part of
the decision task doesn't make sense.
This changes the route from
index.gecko.v2.${repository.project}.latest.firefox.decision
to
index.gecko.v2.${repository.project}.latest.taskgraph.decision
while leaving the latter for backwards compatability with tools that expect it.
Differential Revision: https://phabricator.services.mozilla.com/D996
--HG--
extra : rebase_source : c4c4691bb4633225e5e37b21982b916f76353e27
extra : source : 6ef1607a3e63250eefbda5333d61fd338c23311d
Per the comments in .taskcluster.yml, the exception is there because
some jobs were still using tc-vcs, but they aren't anymore, per bug
1383973.
--HG--
extra : rebase_source : dc81fd5c0ff4299712206edd272cdc33095bdcde
The updated Docker image contains robustcheckout and run-task support
for sparse checkouts, which are obvious prerequisites.
We change the cache name so sparse and non-sparse checkouts don't
use the same working directory. If we didn't do this, tasks running
from images with old Mercurial clients or without a sparse aware
robustcheckout would fail.
The effect of using a sparse checkout is that we reduce the number
of files in the checkout from ~234,000 to ~3,600. This reduces time
for a fresh checkout from several dozen seconds to under 2s.
MozReview-Commit-ID: IJz794g8ZKH
--HG--
extra : source : 9923fffd4f64a1aa9d762e6027e0e2424a19c49c
The updated Docker image contains robustcheckout and run-task support
for sparse checkouts, which are obvious prerequisites.
We change the cache name so sparse and non-sparse checkouts don't
use the same working directory. If we didn't do this, tasks running
from images with old Mercurial clients or without a sparse aware
robustcheckout would fail.
The effect of using a sparse checkout is that we reduce the number
of files in the checkout from ~234,000 to ~3,600. This reduces time
for a fresh checkout from several dozen seconds to under 2s.
MozReview-Commit-ID: IJz794g8ZKH
--HG--
extra : rebase_source : d262c8314381a136cf5cdc5c33669c8c61818d1d
Changes to cron decision tasks:
- drops some unnecessary routes
- drops tags.createdForUser: nobody@..
- more use of environment variables within the command line
MozReview-Commit-ID: 9zoqFvwrBRs
--HG--
extra : rebase_source : 77e17089b67e5d72360d5ecb617887b7a71457fe
This makes a slight change to the resulting decision task, by putting the
comment in an environment variable. This avoids the need to perform shell
quoting (which mozilla-taskcluster was doing a poor job of anyway).
MozReview-Commit-ID: 4MRhJKDIZkk
--HG--
extra : rebase_source : 7fd4a55c574d7542825a9a2a6f37aba0b4fbec1d
This uses the email provided by mozilla-taskcluster to find who to
email about failed decision tasks. It also adds some validation of
the try syntax that we've previously ignored.
Any platforms or build types specified in try sytax that don't exist
in the full task graph will throw an error.
MozReview-Commit-ID: JOKkLle7hEe
--HG--
extra : rebase_source : 65299c95c60bcb3c6a295b1f8f2f18477c2852db
This adds `.cron.yml` and a new mach command to interpret it. While
functionality is limited to nightlies right now, there is room to expand to
more diverse periodic tasks. Let your imagination run wild!
MozReview-Commit-ID: KxQkaUbsjQs
--HG--
extra : rebase_source : ddf0a1eadae5a1169c0ead7bcb7b9ce61b255fbf
This will make harder to falsify a decision task.
Notably our validation code only needs to verify that the definition of the
decision task as given here matches what is used in the task definition in
the Chain-Of-Trust artifact, in order to prove that the decision task is
a result of what ran in the tree.
MozReview-Commit-ID: 4SRO7G1nyyL
--HG--
extra : rebase_source : a3b062c5adfa3c2c96a220adf9bd5d2f50d294aa
* Compress docker images with zstd
* Removed need for context.tar from decision task
* Index images by level rather than project
MozReview-Commit-ID: 4RL4QXNWmpd
--HG--
extra : rebase_source : 677d8030a15af3288866a70fc648a10b22c396a3
332a08725ed0 changed the store path logic in a quick and crude manner.
The code could lead to multiple shared stores existing on a cache
if checkouts were in different parent directories.
This commit refactors the code to explicitly declare a path to the
shared hg store. This restores the behavior of ensuring there is only
a single shared store per cache.
MozReview-Commit-ID: 19Aa1QVrVQ8
--HG--
extra : rebase_source : f74c0ab9cba2bf18e335f24c86dd095335961723
Containing the Mercurial 3.9.1 version bump and the change to pin the
hg.mo fingerprint from a TC secret.
MozReview-Commit-ID: LVU7P0LqIvD
--HG--
extra : rebase_source : 8ad46e014ba9840c9972b51ea43e8ccf14492cf2
Until now Gecko decision task artifacts would expire after a week. Unfortunately, some of these artifacts are
needed in order for Treeherder to determine which tasks it can schedule on a given push.
In this change, we're changing the expiration of all artifacts except those that are related to docker image
optimizations, which, are very large files and we only want to keep for a week.
MozReview-Commit-ID: 96ahyWmoI7W
--HG--
extra : rebase_source : d0f4d65e3b5bfae832a5aaed60c0dfd58f0bdc62
This commit does a lot. But it's really not too difficult to comprehend
once you focus on the final state, which is basically the same as the
"lint" image and derived tasks.
Before, the "decision" image contained a "checkout-gecko" script and
"run-action" and "run-decision" scripts. The latter 2 invoked the first
script.
The "run-task" script basically does what the combination of these
scripts were doing before. So we switch to it.
While we're here, we also replaced the custom Mercurial installation in
this image with the shared install-mercurial.sh script. The
system-setup.sh script for the decision image is now short and sweet.
The YAML files for tasks using this image have been updated to use
"run-task." We no longer have to pass an environment variable to hold
command arguments. So we revert to putting these arguments inline in
the task's command. Dustin never liked passing the arguments as
environment variables, so it should make him happy ;) We add
--log-no-times because "run-task" prefixes its own timestamps on output
lines.
The path to the Gecko checkout has been changed from
/home/worker/workspace to /home/worker/checkouts to match changes made
in bug 1289643.
Finally, since "checkout-gecko-and-run" is no longer used, we delete it.
The Docker image version has been bumped accordingly.
MozReview-Commit-ID: HAGuCz6668Q
--HG--
extra : rebase_source : 9586873c21d67f8ce869b7ceee221e8fa8775539
Currently, the gecko-decision and action tasks maintain a separate cache
for each "project" (Firefox repo) source checkout. In my opinion, this
is not necessary.
Separate caches/source checkouts mean a lower chance for a cache hit:
a lower chance that any given worker will have a source checkout readily
available for the "project" being built. They also mean workers store
more data and files in caches.
By using a shared cache for source checkouts, workers will ideally
only have a single source checkout cache and will be pretty much
guaranteed to have a checkout readily available (the main exception
being the first task on a freshly-provisioned worker).
A downside of a shared cache is that workers may spend more time doing
`hg update` operations. e.g. if the last task was from mozilla-release
and the current task is from mozilla-central, thousands of files will
be updated. However, I believe we will still be better off because
separate caches *increase* the probability for a full checkout, which
involves writing ~150,000 files! So I believe this change will lower
the overall amount of VCS work done by workers while possibly
sacrificing the lowest possible execution time (which is achieved by
minimizing the `hg update` work).
It's worth noting that `hg robustcheckout` (which is used by these
tasks) does the equivalent of an `hg purge --all`. This ensures that all
untracked and ignored files from previous tasks are deleted. So there
should be no contamination from previous tasks.
MozReview-Commit-ID: I5Ng3xFEfou
--HG--
extra : rebase_source : db423e5005d1e26d7dfebbbfa28893fc32caef6f
https://hg.mozilla.org/mozilla-unified contains heads from all the
major Firefox repos. In addition, it is encoded on the server in such a
way that it is several hundred megabytes smaller despite containing
30,000+ more changesets. This means faster clones and faster
operations.
Cloning this repo does require a new version of Mercurial. So if any
TC tasks are using an ancient Mercurial - one that is vulnerable to
known CVE issues in fact - this will flush them out.
MozReview-Commit-ID: 2VHDa6FEeeJ
--HG--
extra : rebase_source : db4990bcde0503fd14d82a5d16c71adbb4f92be3
extra : histedit_source : 6c555bd3df12536d1c48b45d8cc76611e3f7032f
Changes to the decision Docker image have been compelted. We're ready to
use the new image.
We tag the image, update version references, change the task caches
so the new Mercurial pooled storage from the robustcheckout extension is
used, and convert the decision tasks to run as the "worker" user.
MozReview-Commit-ID: 61v9Ivy59zG
--HG--
extra : rebase_source : 640318a87660950c5e0680867a1bfdd68e35f127
extra : histedit_source : ec53fc576c00e5f2053167b37544ac7afccaecb5
The decision task configures a /home/worker/workspace cache. However,
the command we run in the container references a "workspace" relative
path. From logs in automation, it appears that PWD during execution
is "/" because "workspace" is being resolved to "/workspace." The
net result of this is we appear to be performing a VCS clone+checkout
on every single task.
This commit fixes the paths so our workspace cache is actually used.
MozReview-Commit-ID: Kj6REep5bSs
--HG--
extra : rebase_source : 8cd8be43dfd34f2970b47721c3da8e3957a8bfed
extra : histedit_source : b81dce523a88e44eb3fa8b1a68840066edca382d
Jobs reporting to treeherder should rely on the task route for project,
revision, and pushlog ID rather than things stuffed into task.extra.treeherder.
This also removes the need for a revision_hash that was calculated by mozilla-taskcluster.
MozReview-Commit-ID: EcQM9QRZzgG
--HG--
extra : rebase_source : f04f6724feef2dd51b4b98c67c9a261b093f452b
extra : amend_source : 0590605834d93359206f49edd94396c43b57f6dd