Merge branch 'master' into checks

Author: escapewindow

HISTORY.rst

@@ -4,6 +4,50 @@ Change Log
 All notable changes to this project will be documented in this file.
 This project adheres to `Semantic Versioning <http://semver.org/>`__.
 
+[42.2.0] - 2022-02-16
+---------------------
+Added
+~~~~~
+- Mozilla VPN to `cot_restricted_scopes`
+
+[42.1.0] - 2022-02-16
+---------------------
+Added
+~~~~~
+- Support for cedar project
+- Support for log rotation with RotatingFileHandler
+
+[42.0.0] - 2021-12-02
+---------------------
+Removed
+~~~~~~~
+- Removed obsolete Focus scopes
+- Remove Pushsnap support
+
+Added
+~~~~~~~
+- Added Focus for android scopes for github-script, signing-script and pushapk-script
+- Added xpi scopes for Beetmover and Balrog
+- Added microsoft store scopes for Firefox
+- Test coverage for utils and cleanup
+
+[41.0.0] - 2021-09-02
+---------------------
+Removed
+~~~~~~~
+- Support for non-hook actions in CoT
+
+Changed
+~~~~~~~
+- CoT bumped to version 7
+
+[40.0.0] - 2021-08-24
+---------------------
+Changed
+~~~~~~~
+- Removed unused `mpd001` trust domain
+- Added new `mozillavpn` trust domain
+
 [39.0.0] - 2021-08-05
 ---------------------
 Changed

README.rst

@@ -30,7 +30,7 @@ Usage
 .. _example config file: https://github.com/mozilla-releng/scriptworker/blob/master/scriptworker.yaml.tmpl
 .. _scriptworker.constants.DEFAULT_CONFIG: https://github.com/mozilla-releng/scriptworker/blob/master/src/scriptworker/constants.py
 
-Credentials can live in ``./scriptworker.yaml``, ``./secrets.json``, ``~/.scriptworker``, or in environment variables:  ``TASKCLUSTER_ACCESS_TOKEN``, ``TASKCLUSTER_CLIENT_ID``, and ``TASKCLUSTER_CERTIFICATE``.
+Credentials can live in ``./scriptworker.yaml``, ``./secrets.json``, ``~/.scriptworker``.
 
 * Launch: ``scriptworker [config_path]``
 
@@ -42,11 +42,9 @@ Without integration tests install tox, then
 
 ``NO_CREDENTIALS_TESTS=1 tox -e py36``
 
-Without any tests connecting ot the net, then
+Without any tests connecting to the net, then ``NO_TESTS_OVER_WIRE=1 tox -e py36``
 
-``NO_TESTS_OVER_WIRE=1 tox -e py36``
-
-With integration tests, first create a client with the scopes::
+With integration tests, first create a client in the Taskcluster UI with the scopes::
 
     queue:cancel-task:test-dummy-scheduler/*
     queue:claim-work:test-dummy-provisioner/dummy-worker-*
@@ -58,20 +56,15 @@ With integration tests, first create a client with the scopes::
     queue:task-group-id:test-dummy-scheduler/*
     queue:worker-id:test-dummy-workers/dummy-worker-*
 
-Then  create a ``./secrets.json`` or ``~/.scriptworker`` that looks like::
+Then generate a no priviledge personal access token in Github for the scriptworker_github_token (to avoid rate limiting) and create a ``./secrets.json`` or ``~/.scriptworker`` that looks like::
 
     {
         "integration_credentials": {
             "clientId": "...",
             "accessToken": "...",
-            "certificate": "..."
         }
+        "scriptworker_github_token": "..."
     }
 
 
-(``certificate`` is only specified if using temp creds)
-
-
-then
-
-``tox``
+then to run all tests: ``tox``

docs/cot_key_management.rst

@@ -27,3 +27,8 @@ There is also a ``verify_ed25519_signature`` commandline tool. This takes
 a file path and a signature path, and verifies if the file was validly signed
 by a known valid level 3 key. It also takes an optional ``--pubkey PUBKEY``
 argument, which allows you to verify if the file was signed by that pubkey.
+
+Rotating the FirefoxCI CoT keys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+See `this mana page <https://mana.mozilla.org/wiki/pages/viewpage.action?spaceKey=RelEng&title=Chain+of+Trust+key+rotation>`__.

docs/cot_overview.rst

@@ -29,13 +29,10 @@ In conjunction with other best practices, like `separation of roles <https://en.
 Chain of Trust Versions
 ^^^^^^^^^^^^^^^^^^^^^^^
 
-1. Initial Chain of Trust implementation with GPG signatures: Initial `1.0.0b1 on 2016-11-14 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#100b1---2016-11-14>`_
-2. CoT v2: rebuild task definitions via json-e. `7.0.0 on 2018-01-18 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#700---2018-01-18>`_
-3. Generic action hook support. `12.0.0 on 2018-05-29 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#1200---2018-05-29>`_
-4. Release promotion action hook support. `17.1.0 on 2018-12-28 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#1710---2018-12-28>`_
-5. ed25519 support; deprecate GPG support. `22.0.0 on 2019-03-07 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#2200---2019-03-07>`_
-6. drop support for gpg `23.0.0 on 2019-03-27 <https://github.com/mozilla-releng/scriptworker/blob/master/CHANGELOG.md#2300---2019-03-27>`_
-
-Planned future versions:
-
-* drop support for non-hook actions
+1. Initial Chain of Trust implementation with GPG signatures: Initial `1.0.0b1 on 2016-11-14 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#100b1---2016-11-14>`_
+2. CoT v2: rebuild task definitions via json-e. `7.0.0 on 2018-01-18 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#700---2018-01-18>`_
+3. Generic action hook support. `12.0.0 on 2018-05-29 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#1200---2018-05-29>`_
+4. Release promotion action hook support. `17.1.0 on 2018-12-28 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#1710---2018-12-28>`_
+5. ed25519 support; deprecate GPG support. `22.0.0 on 2019-03-07 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#2200---2019-03-07>`_
+6. drop support for gpg `23.0.0 on 2019-03-27 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#2300---2019-03-27>`_
+7. drop support for non-hook actions `41.0.0 on 2021-09-02 <https://github.com/mozilla-releng/scriptworker/blob/master/HISTORY.rst#4100---2021-09-02>`_

docs/releases.md

@@ -32,7 +32,7 @@ If you're changing any dependencies, please update `setup.py`.
 If you add change the list of files that need to be packaged (either adding new files, or removing previous packaged files), modify `MANIFEST.in`.
 
 ### Versioning
-Modify `scriptworker/version.py` to set the `__version__` to the appropriate tuple.  This is either a 3- or 4-part tuple, e.g.
+Modify `src/scriptworker/version.py` to set the `__version__` to the appropriate tuple.  This is either a 3- or 4-part tuple, e.g.
 
 ```python
 # 0.10.0a1
@@ -49,7 +49,7 @@ Then run `version.py`:
 
 ```bash
 # Using the local venv python>=3.5,
-python scriptworker/version.py
+python src/scriptworker/version.py
 ```
 
 This will update `version.json`.  Verify both files look correct.

requirements.txt

@@ -8,4 +8,4 @@ immutabledict>=1.3.0
 jsonschema
 json-e>=2.5.0
 PyYAML
-taskcluster>39
+taskcluster>=40

src/scriptworker/constants.py

@@ -56,7 +56,10 @@
         "task_max_timeout_status": STATUSES["intermittent-task"],
         "invalid_reclaim_status": STATUSES["intermittent-task"],
         "task_script": ("bash", "-c", "echo foo && sleep 19 && exit 1"),
+        # Logging settings
         "verbose": True,
+        "log_max_bytes": 0,
+        "log_max_backups": 10,
         # Task settings
         "work_dir": "...",
         "log_dir": "...",
@@ -116,7 +119,7 @@
                         "firefox": "hg",
                         "thunderbird": "hg",
                         "mobile": "github",
-                        "mpd001": "github",
+                        "mozillavpn": "github",
                         "app-services": "github",
                         "glean": "github",
                         "xpi": "github",
@@ -134,7 +137,7 @@
                         "firefox": ("gecko-1/decision", "gecko-2/decision", "gecko-3/decision"),
                         "thunderbird": ("comm-1/decision", "comm-2/decision", "comm-3/decision"),
                         "mobile": ("mobile-1/decision", "mobile-3/decision"),
-                        "mpd001": ("mpd001-1/decision", "mpd001-3/decision"),
+                        "mozillavpn": ("mozillavpn-1/decision", "mozillavpn-3/decision"),
                         "app-services": ("app-services-1/decision", "app-services-3/decision"),
                         "glean": ("glean-1/decision", "glean-3/decision"),
                         "xpi": ("xpi-1/decision", "xpi-3/decision"),
@@ -152,7 +155,7 @@
                         "firefox": ("gecko-1/images", "gecko-2/images", "gecko-3/images"),
                         "thunderbird": ("comm-1/images", "comm-2/images", "comm-3/images"),
                         "mobile": ("mobile-1/images", "mobile-3/images"),
-                        "mpd001": ("mpd001-1/images", "mpd001-3/images"),
+                        "mozillavpn": ("mozillavpn-1/images", "mozillavpn-3/images"),
                         "app-services": ("app-services-1/images", "app-services-3/images"),
                         "glean": ("glean-1/images", "glean-3/images"),
                         "xpi": ("xpi-1/images", "xpi-3/images"),
@@ -176,7 +179,7 @@
                                     r"^(?P<path>/mozilla-(central|unified))(/|$)",
                                     r"^(?P<path>/integration/(autoland|fx-team|mozilla-inbound))(/|$)",
                                     r"^(?P<path>/releases/mozilla-(beta|release|esr\d+))(/|$)",
-                                    r"^(?P<path>/projects/(maple|oak|pine))(/|$)",
+                                    r"^(?P<path>/projects/(maple|oak|cedar|pine))(/|$)",
                                 ),
                             }
                         ),
@@ -213,12 +216,12 @@
                             }
                         ),
                     ),
-                    "mpd001": (
+                    "mozillavpn": (
                         immutabledict(
                             {
                                 "schemes": ("https", "ssh"),
                                 "netlocs": ("github.com",),
-                                "path_regexes": tuple([r"^(?P<path>/mozilla-services/(?:guardian-vpn-windows))(/|.git|$)"]),
+                                "path_regexes": tuple([r"^(?P<path>/mozilla-mobile/(?:mozilla-vpn-client))(/|.git|$)"]),
                             }
                         ),
                     ),
@@ -275,7 +278,7 @@
                         "github-push",
                         "github-release",
                     ),
-                    "mpd001": ("cron", "github-pull-request", "github-push", "github-release"),
+                    "mozillavpn": ("cron", "github-pull-request", "github-push", "github-release"),
                     "app-services": (
                         "action",
                         "cron",
@@ -308,7 +311,7 @@
                     "firefox": "",
                     "thunderbird": "",
                     "mobile": "mozilla-mobile",
-                    "mpd001": "mozilla-services",
+                    "mozillavpn": "mozilla-mobile",
                     "app-services": "mozilla",
                     "glean": "mozilla",
                     "xpi": "mozilla-extensions",
@@ -335,11 +338,10 @@
                             "project:releng:signing:cert:release-signing": "all-release-branches",
                             "project:releng:flathub:firefox:beta": "beta-or-release",  # Needed on release for RCs
                             "project:releng:flathub:firefox:stable": "release",
-                            "project:releng:snapcraft:firefox:beta": "beta-or-release",  # Needed on release for RCs
-                            "project:releng:snapcraft:firefox:candidate": "release",
-                            "project:releng:snapcraft:firefox:esr": "esr",
                             "project:releng:ship-it:production": "all-production-branches",
                             "project:releng:treescript:action:push": "all-production-branches",
+                            "project:releng:microsoftstore:beta": "beta",
+                            "project:releng:microsoftstore:release": "release",
                         }
                     ),
                     "thunderbird": immutabledict(
@@ -372,16 +374,19 @@
                             "project:mobile:fennec-profile-manager:releng:signing:cert:fennec-production-signing": "fennec-profile-manager-repo",
                             "project:mobile:firefox-tv:releng:googleplay:product:firefox-tv": "firefox-tv-repo",
                             "project:mobile:firefox-tv:releng:signing:cert:production-signing": "firefox-tv-repo",
-                            "project:mobile:focus:googleplay:product:focus": "focus-repo",
-                            "project:mobile:focus:releng:signing:cert:release-signing": "focus-repo",
                             "project:mobile:reference-browser:releng:googleplay:product:reference-browser": "reference-browser-repo",
                             "project:mobile:reference-browser:releng:signing:cert:release-signing": "reference-browser-repo",
+                            "project:mobile:focus-android:releng:github:project:focus-android": "focus-repo",
+                            "project:mobile:focus-android:releng:googleplay:product:focus-android": "focus-repo",
+                            # beta and nightly are signed with same key as production
+                            "project:mobile:focus-android:releng:signing:cert:production-signing": "focus-repo",
                         }
                     ),
-                    "mpd001": immutabledict(
+                    "mozillavpn": immutabledict(
                         {
-                            "project:mpd001:releng:signing:cert:nightly-signing": "mpd001-repo",
-                            "project:mpd001:releng:signing:cert:release-signing": "mpd001-repo",
+                            "project:mozillavpn:releng:signing:cert:nightly-signing": "mozillavpn-repo",
+                            "project:mozillavpn:releng:signing:cert:release-signing": "mozillavpn-repo",
+                            "project:mozillavpn:releng:googleplay:product:mozillavpn": "mozillavpn-repo",
                         }
                     ),
                     "app-services": immutabledict({"project:mozilla:app-services:releng:beetmover:bucket:maven-production": "app-services-repo"}),
@@ -391,6 +396,8 @@
                             "project:xpi:signing:cert:release-signing": "xpi-manifest-repo",
                             "project:xpi:releng:github:project:mozilla-extensions/*": "xpi-manifest-repo",
                             "project:xpi:ship-it:production": "xpi-manifest-repo",
+                            "project:xpi:beetmover:bucket:release": "xpi-manifest-repo",
+                            "project:xpi:balrog:server:release": "xpi-manifest-repo",
                         }
                     ),
                     "adhoc": immutabledict({"project:adhoc:signing:cert:release-signing": "adhoc-signing-repos"}),
@@ -432,6 +439,7 @@
                             # XXX remove /projects/maple when we have a
                             #     different prod signing testing solution
                             # XXX remove /projects/oak when we no longer test updates against it
+                            # XXX remove /projects/cedar when we no longer need
                             # XXX remove /projects/pine when we no longer need
                             #     nightly signing
                             "all-nightly-branches": (
@@ -443,6 +451,7 @@
                                 "/releases/mozilla-esr91",
                                 "/projects/maple",
                                 "/projects/oak",
+                                "/projects/cedar",
                                 "/projects/pine",
                             ),
                             "all-production-branches": (
@@ -476,7 +485,7 @@
                             "reference-browser-repo": ("/mozilla-mobile/reference-browser",),
                         }
                     ),
-                    "mpd001": immutabledict({"mpd001-repo": ("/mozilla-services/guardian-vpn-windows",)}),
+                    "mozillavpn": immutabledict({"mozillavpn-repo": ("/mozilla-mobile/mozilla-vpn-client",)}),
                     "app-services": immutabledict({"app-services-repo": ("/mozilla/application-services",)}),
                     "glean": immutabledict({"glean-repo": ("/mozilla/glean",)}),
                     "xpi": immutabledict({"xpi-manifest-repo": ("/mozilla-extensions/xpi-manifest",)}),
@@ -497,7 +506,7 @@
                     "thunderbird": ("decision", "action", "docker-image"),
                     # XXX now that we're on taskgraph, we should limit these.
                     "mobile": "any",  # all allowed
-                    "mpd001": "any",  # all allowed
+                    "mozillavpn": "any",  # all allowed
                     "app-services": "any",  # all allowed
                     "glean": "any",  # all allowed
                     "xpi": "any",  # all allowed
@@ -512,7 +521,7 @@
                     "firefox": "GECKO",
                     "thunderbird": "COMM",
                     "mobile": "MOBILE",
-                    "mpd001": "MPD001",
+                    "mozillavpn": "MOZILLAVPN",
                     "app-services": "APPSERVICES",
                     "glean": "GLEAN",
                     "xpi": "XPI",