Address @ncalexan comments

mozilla · Apr 22, 2019 · b39fc40 · b39fc40
1 parent e006777
commit b39fc40
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/.taskcluster.yml b/.taskcluster.yml
@@ -140,6 +140,8 @@ tasks:
             tag: ${event.release.tag_name}
             release_task_definition:
               payload:
+                env:
+                  IS_RELEASE: 1
                 features:
                   chainOfTrust: true
               scopes:

diff --git a/automation/taskcluster/decision_task.py b/automation/taskcluster/decision_task.py
@@ -202,17 +202,17 @@ def android_multiarch_release():
     for module_info in module_definitions():
         module = module_info['name']
         build_task = module_build_tasks[module]
-        for artifact_info in module_info['artifacts']:
-            artifact_name = artifact_info['name']
-            artifact = artifact_info['path']
+        for artifact in module_info['artifacts']:
+            artifact_name = artifact['name']
+            artifact_path = artifact['path']
             (
                 BeetmoverTask("Publish Android module: {} via beetmover".format(artifact_name))
                 .with_description("Publish release module {} to {}".format(artifact_name, bucket_public_url))
                 .with_worker_type(worker_type)
                 # We want to make sure ALL builds succeeded before doing a release.
                 .with_dependencies(*module_build_tasks.values())
                 .with_upstream_artifact({
-                    "paths": [artifact],
+                    "paths": [artifact_path],
                     "taskId": build_task,
                     "taskType": "build",
                     "zipExtract": True,
@@ -230,11 +230,9 @@ def android_multiarch_release():
 def dockerfile_path(name):
     return os.path.join(os.path.dirname(__file__), "docker", name + ".dockerfile")
 
-
 def linux_task(name):
     return DockerWorkerTask(name).with_worker_type("application-services-r")
 
-
 def linux_build_task(name):
     task = (
         linux_task(name)
@@ -326,6 +324,7 @@ def linux_cross_compile_build_task(name):
     )
 
 CONFIG.task_name_template = "Application Services - %s"
+CONFIG.is_release = os.getenv("IS_RELEASE", False)
 CONFIG.index_prefix = "project.application-services.application-services"
 CONFIG.docker_image_build_worker_type = "application-services-r"
 CONFIG.docker_images_expire_in = build_dependencies_artifacts_expire_in

diff --git a/automation/taskcluster/decisionlib.py b/automation/taskcluster/decisionlib.py
@@ -38,6 +38,7 @@ class Config:
     Global configuration, for users of the library to modify.
     """
     def __init__(self):
+        self.is_release = False
         self.task_name_template = "%s"
         self.index_prefix = "garbage.application-services-decisionlib"
         self.scopes_for_all_subtasks = []
@@ -210,11 +211,6 @@ def create(self):
         if any(r.startswith("index.") for r in routes):
             self.extra.setdefault("index", {})["expires"] = \
                 SHARED.from_now_json(self.index_and_artifacts_expire_in)
-        if hasattr(self, 'features') and self.features.get('chainOfTrust'):
-            image = self.docker_image
-            if image and isinstance(image, dict):
-                cot = self.extra.setdefault("chainOfTrust", {})
-                cot.setdefault('inputs', {})['docker-image'] = image['taskId']
 
         dict_update_if_truthy(
             queue_payload,
@@ -240,6 +236,9 @@ def find_or_create(self, index_path=None):
 
         <https://docs.taskcluster.net/docs/reference/core/taskcluster-index/references/api#findTask>
         """
+        # In release environments we always create a task, which ensures chainOfTrust is set.
+        if CONFIG.is_release:
+            return self.create()
         if not index_path:
             worker_type = self.worker_type
             index_by = json.dumps([worker_type, self.build_worker_payload()]).encode("utf-8")
@@ -337,8 +336,12 @@ def build_worker_payload(self):
                 deindent("\n".join(self.scripts))
             ],
         }
-        if len(self.artifacts) > 0 and "chainOfTrust" not in self.features:
+        if CONFIG.is_release and len(self.artifacts) > 0:
             self.features["chainOfTrust"] = True
+        if self.features.get("chainOfTrust"):
+            if isinstance(self.docker_image, dict):
+                cot = self.extra.setdefault("chainOfTrust", {})
+                cot.setdefault('inputs', {})['docker-image'] = self.docker_image['taskId']
         return dict_update_if_truthy(
             worker_payload,
             env=self.env,