diff --git a/.taskcluster.yml b/.taskcluster.yml index 94bb1aaafd..faae7dbc21 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -140,6 +140,8 @@ tasks: tag: ${event.release.tag_name} release_task_definition: payload: + env: + IS_RELEASE: 1 features: chainOfTrust: true scopes: diff --git a/automation/taskcluster/decision_task.py b/automation/taskcluster/decision_task.py index e4e8d41b17..f37e9f5410 100644 --- a/automation/taskcluster/decision_task.py +++ b/automation/taskcluster/decision_task.py @@ -202,9 +202,9 @@ def android_multiarch_release(): for module_info in module_definitions(): module = module_info['name'] build_task = module_build_tasks[module] - for artifact_info in module_info['artifacts']: - artifact_name = artifact_info['name'] - artifact = artifact_info['path'] + for artifact in module_info['artifacts']: + artifact_name = artifact['name'] + artifact_path = artifact['path'] ( BeetmoverTask("Publish Android module: {} via beetmover".format(artifact_name)) .with_description("Publish release module {} to {}".format(artifact_name, bucket_public_url)) @@ -212,7 +212,7 @@ def android_multiarch_release(): # We want to make sure ALL builds succeeded before doing a release. .with_dependencies(*module_build_tasks.values()) .with_upstream_artifact({ - "paths": [artifact], + "paths": [artifact_path], "taskId": build_task, "taskType": "build", "zipExtract": True, @@ -230,11 +230,9 @@ def android_multiarch_release(): def dockerfile_path(name): return os.path.join(os.path.dirname(__file__), "docker", name + ".dockerfile") - def linux_task(name): return DockerWorkerTask(name).with_worker_type("application-services-r") - def linux_build_task(name): task = ( linux_task(name) @@ -326,6 +324,7 @@ def linux_cross_compile_build_task(name): ) CONFIG.task_name_template = "Application Services - %s" +CONFIG.is_release = os.getenv("IS_RELEASE", False) CONFIG.index_prefix = "project.application-services.application-services" CONFIG.docker_image_build_worker_type = "application-services-r" CONFIG.docker_images_expire_in = build_dependencies_artifacts_expire_in diff --git a/automation/taskcluster/decisionlib.py b/automation/taskcluster/decisionlib.py index 4ca96c1c70..8610a88912 100644 --- a/automation/taskcluster/decisionlib.py +++ b/automation/taskcluster/decisionlib.py @@ -38,6 +38,7 @@ class Config: Global configuration, for users of the library to modify. """ def __init__(self): + self.is_release = False self.task_name_template = "%s" self.index_prefix = "garbage.application-services-decisionlib" self.scopes_for_all_subtasks = [] @@ -210,11 +211,6 @@ def create(self): if any(r.startswith("index.") for r in routes): self.extra.setdefault("index", {})["expires"] = \ SHARED.from_now_json(self.index_and_artifacts_expire_in) - if hasattr(self, 'features') and self.features.get('chainOfTrust'): - image = self.docker_image - if image and isinstance(image, dict): - cot = self.extra.setdefault("chainOfTrust", {}) - cot.setdefault('inputs', {})['docker-image'] = image['taskId'] dict_update_if_truthy( queue_payload, @@ -240,6 +236,9 @@ def find_or_create(self, index_path=None): """ + # In release environments we always create a task, which ensures chainOfTrust is set. + if CONFIG.is_release: + return self.create() if not index_path: worker_type = self.worker_type index_by = json.dumps([worker_type, self.build_worker_payload()]).encode("utf-8") @@ -337,8 +336,12 @@ def build_worker_payload(self): deindent("\n".join(self.scripts)) ], } - if len(self.artifacts) > 0 and "chainOfTrust" not in self.features: + if CONFIG.is_release and len(self.artifacts) > 0: self.features["chainOfTrust"] = True + if self.features.get("chainOfTrust"): + if isinstance(self.docker_image, dict): + cot = self.extra.setdefault("chainOfTrust", {}) + cot.setdefault('inputs', {})['docker-image'] = self.docker_image['taskId'] return dict_update_if_truthy( worker_payload, env=self.env,