Support actions on github pull requests (bug 1641282) (#426)

jcristau · web-flow · commit 63dbbedf64fe · 2024-02-12T17:44:07.000+01:00
- use "pr-action" instead of "action" hook and scope when registering an
  action from a pull-request graph
- pass the base repo url and branch in the action payload: the base repo
  is what the scope should be based on, and the base repo+branch need to
  be passed back to action tasks so they can check out the right thing
diff --git a/src/taskgraph/actions/registry.py b/src/taskgraph/actions/registry.py
@@ -163,11 +163,11 @@ def action_builder(parameters, graph_config, decision_task_id):
             actionPerm = "generic" if generic else cb_name
 
             # gather up the common decision-task-supplied data for this action
-            repo_param = "head_repository"
             repository = {
-                "url": parameters[repo_param],
+                "url": parameters["head_repository"],
                 "project": parameters["project"],
                 "level": parameters["level"],
+                "base_url": parameters["base_repository"],
             }
 
             revision = parameters["head_rev"]
@@ -179,6 +179,9 @@ def action_builder(parameters, graph_config, decision_task_id):
             branch = parameters.get("head_ref")
             if branch:
                 push["branch"] = branch
+            base_branch = parameters.get("base_ref")
+            if base_branch and branch != base_branch:
+                push["base_branch"] = base_branch
 
             action = {
                 "name": name,
@@ -213,11 +216,16 @@ def action_builder(parameters, graph_config, decision_task_id):
             if "/" in actionPerm:
                 raise Exception("`/` is not allowed in action names; use `-`")
 
+            if parameters["tasks_for"].startswith("github-pull-request"):
+                hookId = f"in-tree-pr-action-{level}-{actionPerm}/{tcyml_hash}"
+            else:
+                hookId = f"in-tree-action-{level}-{actionPerm}/{tcyml_hash}"
+
             rv.update(
                 {
                     "kind": "hook",
                     "hookGroupId": f"project-{trustDomain}",
-                    "hookId": f"in-tree-action-{level}-{actionPerm}/{tcyml_hash}",
+                    "hookId": hookId,
                     "hookPayload": {
                         # provide the decision-task parameters as context for triggerHook
                         "decision": {
@@ -293,16 +301,20 @@ def sanity_check_task_scope(callback, parameters, graph_config):
 
     actionPerm = "generic" if action.generic else action.cb_name
 
-    repo_param = "head_repository"
-    raw_url = parameters[repo_param]
+    raw_url = parameters["base_repository"]
     parsed_url = parse(raw_url)
-    expected_scope = f"assume:{parsed_url.taskcluster_role_prefix}:action:{actionPerm}"
+    action_scope = f"assume:{parsed_url.taskcluster_role_prefix}:action:{actionPerm}"
+    pr_action_scope = (
+        f"assume:{parsed_url.taskcluster_role_prefix}:pr-action:{actionPerm}"
+    )
 
     # the scope should appear literally; no need for a satisfaction check. The use of
     # get_current_scopes here calls the auth service through the Taskcluster Proxy, giving
     # the precise scopes available to this task.
-    if expected_scope not in taskcluster.get_current_scopes():
-        raise ValueError(f"Expected task scope {expected_scope} for this action")
+    if not set((action_scope, pr_action_scope)) & set(taskcluster.get_current_scopes()):
+        raise ValueError(
+            f"Expected task scope {action_scope} or {pr_action_scope} for this action"
+        )
 
 
 def trigger_action_callback(
diff --git a/test/test_actions_registry.py b/test/test_actions_registry.py
@@ -12,34 +12,40 @@
         ("non-existing-action", {}, [], pytest.raises(ValueError)),
         (
             "retrigger",
-            {"head_repository": "https://some.git.repo"},
+            {"base_repository": "https://some.git.repo"},
             [],
             pytest.raises(InvalidRepoUrlError),
         ),
         (
             "retrigger",
-            {"head_repository": "https://hg.mozilla.org/try"},
+            {"base_repository": "https://hg.mozilla.org/try"},
             ["unrelated:scope"],
             pytest.raises(ValueError),
         ),
         (
             "retrigger",
-            {"head_repository": "https://hg.mozilla.org/mozilla-central"},
+            {"base_repository": "https://hg.mozilla.org/mozilla-central"},
             ["assume:repo:hg.mozilla.org/mozilla-central:action:generic"],
             does_not_raise(),
         ),
         (
             "retrigger",
-            {"head_repository": "https://github.com/taskcluster/taskgraph"},
+            {"base_repository": "https://github.com/taskcluster/taskgraph"},
             ["assume:repo:github.com/taskcluster/taskgraph:action:generic"],
             does_not_raise(),
         ),
         (
             "retrigger",
-            {"head_repository": "git@github.com:mozilla-mobile/firefox-android.git"},
+            {"base_repository": "git@github.com:mozilla-mobile/firefox-android.git"},
             ["assume:repo:github.com/mozilla-mobile/firefox-android:action:generic"],
             does_not_raise(),
         ),
+        (
+            "retrigger",
+            {"base_repository": "git@github.com:mozilla-mobile/firefox-android.git"},
+            ["assume:repo:github.com/mozilla-mobile/firefox-android:pr-action:generic"],
+            does_not_raise(),
+        ),
     ),
 )
 def test_sanity_check_task_scope(
