bug 1445072 - repackage-signing: move signing cert scope into the kind. r?
MozReview-Commit-ID: ETfVl3mDB8l
--- a/taskcluster/ci/repackage-signing/kind.yml
+++ b/taskcluster/ci/repackage-signing/kind.yml
@@ -21,8 +21,28 @@ only-for-build-platforms:
- linux64-nightly/opt
- linux64-devedition-nightly/opt
- macosx64-nightly/opt
- macosx64-devedition-nightly/opt
- win32-nightly/opt
- win32-devedition-nightly/opt
- win64-nightly/opt
- win64-devedition-nightly/opt
+
+job-template:
+ signing-cert:
+ by-product:
+ devedition:
+ by-project:
+ mozilla-beta: nightly
+ maple: nightly
+ default: dep
+ firefox:
+ by-project:
+ oak: nightly
+ mozilla-central: nightly
+ birch: release
+ maple: release
+ mozilla-beta: release
+ mozilla-release: release
+ mozilla-esr60: release
+ default: dep
+ default: dep
--- a/taskcluster/taskgraph/transforms/repackage_signing.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing.py
@@ -4,34 +4,40 @@
"""
Transform the repackage signing task into an actual task description.
"""
from __future__ import absolute_import, print_function, unicode_literals
from taskgraph.transforms.base import TransformSequence
from taskgraph.util.attributes import copy_attributes_from_dependent_job
-from taskgraph.util.schema import validate_schema, Schema
+from taskgraph.util.schema import (
+ Schema,
+ optionally_keyed_by,
+ resolve_keyed_by,
+ validate_schema,
+)
from taskgraph.util.scriptworker import (
add_scope_prefix,
- get_signing_cert_scope_per_platform,
+ get_signing_cert_scope_from_task,
get_worker_type_for_scope,
)
from taskgraph.transforms.task import task_description_schema
from voluptuous import Required, Optional
# Voluptuous uses marker objects as dictionary *keys*, but they are not
# comparable, so we cast all of the keys back to regular strings
task_description_schema = {str(k): v for k, v in task_description_schema.schema.iteritems()}
transforms = TransformSequence()
repackage_signing_description_schema = Schema({
Required('dependent-task'): object,
Required('depname', default='repackage'): basestring,
+ Required('signing-cert'): optionally_keyed_by('product', 'project', basestring),
Optional('label'): basestring,
Optional('treeherder'): task_description_schema['treeherder'],
Optional('shipping-product'): task_description_schema['shipping-product'],
Optional('shipping-phase'): task_description_schema['shipping-phase'],
})
@transforms.add
@@ -82,18 +88,18 @@ def make_repackage_signing_description(c
locale_str = ""
if dep_job.attributes.get('locale'):
treeherder['symbol'] = 'rs({})'.format(dep_job.attributes.get('locale'))
attributes['locale'] = dep_job.attributes.get('locale')
locale_str = "{}/".format(dep_job.attributes.get('locale'))
build_platform = dep_job.attributes.get('build_platform')
is_nightly = dep_job.attributes.get('nightly')
- signing_cert_scope = get_signing_cert_scope_per_platform(
- build_platform, is_nightly, config
+ signing_cert_scope = get_signing_cert_scope_from_task(
+ config, task=job, product=job.get('shipping-product')
)
scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:mar_sha384')]
upstream_artifacts = [{
"taskId": {"task-reference": "<repackage>"},
"taskType": "repackage",
"paths": [
"public/build/{}target.complete.mar".format(locale_str),
--- a/taskcluster/taskgraph/util/scriptworker.py
+++ b/taskcluster/taskgraph/util/scriptworker.py
@@ -15,16 +15,18 @@ happen on mozilla-beta and mozilla-relea
Additional configuration is found in the :ref:`graph config <taskgraph-graph-config>`.
"""
from __future__ import absolute_import, print_function, unicode_literals
import functools
import json
import os
+from taskgraph.util.schema import resolve_keyed_by
+
# constants {{{1
"""Map signing scope aliases to sets of projects.
Currently m-c and DevEdition on m-b use nightly signing; Beta on m-b and m-r
use release signing. These data structures aren't set-up to handle different
scopes on the same repo, so we use a different set of them for DevEdition, and
callers are responsible for using the correct one (by calling the appropriate
@@ -354,16 +356,36 @@ def get_phase_from_target_method(config,
@with_scope_prefix
def get_balrog_action_scope(config, action='submit'):
assert action in BALROG_ACTIONS
return "balrog:action:{}".format(action)
+@with_scope_prefix
+def get_signing_cert_scope_from_task(config, task=None, **kwargs):
+ """Get the release signing cert scope from task['signing-cert']"""
+ resolve_kwargs = dict(**config.params)
+ if kwargs:
+ resolve_kwargs.update(kwargs)
+ resolve_keyed_by(
+ task, 'signing-cert',
+ task.get('label', task.get('name', task.get('description'))),
+ **resolve_kwargs
+ )
+ cert = {
+ 'release': 'signing:cert:release-signing',
+ 'nightly': 'signing:cert:nightly-signing',
+ }.get(task['signing-cert'], 'signing:cert:dep-signing')
+ del(task['signing-cert'])
+ return cert
+
+
+
get_signing_cert_scope = functools.partial(
get_scope_from_project,
alias_to_project_map=SIGNING_SCOPE_ALIAS_TO_PROJECT,
alias_to_scope_map=SIGNING_CERT_SCOPES,
)
get_devedition_signing_cert_scope = functools.partial(
get_scope_from_project,