All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
verify_signed_tag, which verifies the tag's signature and makes sure we're updated to it.
rebuild_gpg_homedirsnow uses git tags instead of checking for signed commits.get_git_revisionnow takes arefkwarg; it finds the revision for that ref (e.g., tag, branch).update_signed_git_reporevisionkwarg is now namedref. It also verifies and updates to the signed git tag instead ofref.update_signed_git_reponow returns a tuple (revision, tag)build_gpg_homedirs_from_reponow usesverify_signed_taginstead ofverify_signed_git_commit, and takes a newtagarg.
- the curl command in
Dockerfile.gnupgnow retries on failure.
verify_signed_git_commit_outputverify_signed_git_commit
- beetmover and balrog scriptworker support in chain of trust verification
cot_restricted_treesconfig, which maps branch-nick to branches
- Changed
cot_restricted_scopesto be a scope to branch-nick dict, indexed bycot_product
- nuke then move the tmp gpg homedir, rather than trying to [wrongly] use
overwrite_gpg_homeon a parent dir
- Dockerfiles: one for general testing and one for gpg homedir testing, with readme updates
flake8_docstringsin tox.ini- log chain of trust verification more verbosely, since we no longer have real artifacts uploaded alongside
- download cot artifacts into
work_dir/cotinstead ofartifact_dir/public/cot, to avoid massive storage dups download_artifactsnow returns a list of full paths instead of relative paths. SinceupstreamArtifactscontains the relative paths, this should be more helpful.contextual_log_handlernow takes alogging.Formatterkwarg rather than a log format string.
- check for a new gpg homedir before
run_loop, because puppet will now userebuild_gpg_homedirs
- updated all docstrings to pass
flake8_docstrings - switched to a three-phase lockfile for gpg homedir creation to avoid race conditions (locked, ready, unlocked)
- catch
aiohttp.errors.DisconnectedErrorandaiohttp.errors.ClientErrorinrun_loopduringupload_artifacts - compare the built docker-image tarball hash against
imageArtifactHash
- the
create_initial_gpg_homedirsentry point has been removed in favor ofrebuild_gpg_homedirs.
scriptworker.cot.verify.raise_on_errorsnow takes a kwarg oflevel, which defaults tologging.CRITICAL. This is to support fuzzy task matching, where not matching a task is non-critical.scriptworker.cot.verify.verify_link_in_task_graphnow supports fuzzy task matching. If the Link'stask_idisn't in the task graph, try to match the task definition against the task graph definitions, and throwCoTErroron failure. This is to support Taskcluster retriggers.verify_cotis now an entry point, rather than a helper script inscriptworker/test/data/.
- allowed for
USE_SCCACHEas a build env var
scriptworker.cot.verifynow verifies the chain of trust for the graph.scriptworker.exceptions.CoTErrornow marks chain of trust validation errors.scriptworker.task.get_task_id,scriptworker.task.get_run_id,scriptworker.task.get_decision_task_id,scriptworker.task.get_worker_typescriptworker.log.contextual_log_handlerfor short-term logs- added framework for new docs
- config files are now yaml, to enable comments.
config_example.jsonandcot_config_example.jsonhave been consolidated intoscriptworker.yaml.tmpl.context.cot_configitems now live incontext.config. validate_artifact_urlnow takes a list of dictionaries as rules, leading to more configurable url checking.scriptworker.cotis nowscriptworker.cot.generate. Theget_environmentfunction has been renamed toget_cot_environment.scriptworker.gpg.get_bodynow takes averify_sigkwarg.download_artifactsnow takesvalid_artifact_task_idsas a kwarg.max_connectionsis nowaiohttp_max_connections- scriptworker task definitions now expect an
upstreamArtifactslist of dictionaries
- docstring single backticks are now double backticks
- catch aiohttp exceptions on upload
- removed all references to
cot_config - removed the credential update, since puppet restarts scriptworker on config change.
gpg_lockfileandlast_good_git_revision_filein configget_last_good_git_revisionandwrite_last_good_git_revisionnow return the last good git revision, and write it tolast_good_git_revision_file, respectively.get_tmp_base_gpg_home_diris a helper function to avoid duplication in logic.rebuild_gpg_homedirsis a new entry point script that allows us to recreate the gpg homedirs in a tmpdir, in a separate processis_lockfile_present,create_lockfile, andrm_lockfileas helper functions for the two gpg homedir entry points.
sign_key,rebuild_gpg_home_flat,rebuild_gpg_home_signed,build_gpg_homedirs_from_repoare no longer async.overwrite_gpg_homeonly keeps one backup.update_signed_git_reponow returns the latest git revision, instead of a boolean marking whether the revision is new or not. This will help avoid the scenario where we update, fail to generate the gpg homedirs, and then stay on an old revision until the next push.update_logging_confignow takes afile_namekwarg, which allows us to create new log files for therebuild_gpg_homedirsandcreate_initial_gpg_homedirsentry points.
build_gpg_homedirs_from_reponow waits to verify the contents of the updated git repo before nuking the previous base gpg homedir.create_initial_gpg_homedirsnow creates a logfile
rebuild_gpg_homedirs_loopis no longer needed, and is removed.
- logged the stacktrace if the
mainloop hits an exception. No longer catch and ignoreRuntimeError, since it wasn't clear why that was put in. - updated
check_configto make sure taskcluster-related configs match taskcluster requirements
- changed the way the polling loop works:
async_mainis now a single pass, whichmaincalls in awhile Trueloop. This should fix the situation where polling was dying silently while the git update loop continued running every 5 minutes.
- explicitly pass
taskIdandrunIdtoclaim_task. There's a newhintIdproperty that appears inmessage_info['task_info']that broke things.
- added
git_key_repo_dir,base_gpg_home_dir,my_email, andgpg_pathtoconfig_example.json - added
cot_config_example.json,cot_config_schema.json, andscriptworker.config.get_cot_configfor ChainOfTrust config - added
update_signed_git_repo,verify_signed_git_commit,build_gpg_homedirs_from_repo,rebuild_gpg_homedirs_loop, andcreate_initial_gpg_homedirsfor gpg homedir creation and updates in the background. - added a background call to update the gpg homedirs in
scriptworker.worker.async_main - added another entry point,
create_initial_gpg_homedirs, for puppet to create the first gpg homedirs
- default config filename is now
scriptworker.jsoninstead ofconfig.json - moved
scriptworker.config.get_context_from_cmdlnout ofscriptworker.worker.main; now using argparse - changed default
sign_chain_of_trustto True scriptworker.gpg.sign_key,scriptworker.gpg.rebuild_gpg_home_flat, andscriptworker.gpg.rebuild_gpg_home_signedare now async, so they can happen in parallel in the background- renamed
scriptworker.gpg.latest_signed_git_committoscriptworker.gpg.verify_signed_git_commit_output - combined
scriptworker.log.log_errorsandscriptworker.log.read_stdoutintoscriptworker.log.pipe_to_log - added
taskGroupIdto the list of default validtaskIds to download from. This logic will need to change in version 0.9.0 due to the new chain of trust dependency traversal logic
- added missing docstrings to the
download_artifactsanddownload_filefunctions - fixed coverage version in
tox.ini py35-coveralls sign_keynow supports signing keys with multiple subkeys
- added
DownloadErrorexception fordownload_file - added
scriptworker.task.download_artifacts - added
scriptworker.util.download_file
DEFAULT_CONFIG,STATUSES, andREVERSED_STATUSEShave moved toscriptworker.constants.list_to_tuplehas been renamedfreeze_values, and also converts dict values to frozendicts.
- significant gpg support
- ability to create new gpg homedirs
- scriptworker now requires
pexpectfor gpg key signing - docstrings!
- helper scripts to generate 1000 pubkeys and time importing them.
- added
scriptworker.utils.rmas anrm -rffunction
utils.makedirsnow throwsScriptWorkerExceptionif the path exists and is not a directory or a softlink pointing to a directory.- gpg functions now take a
gpg_homekwarg to specify a different homedir - moved
scriptworker.client.integration_create_task_payloadintoscriptworker.test - renamed
scriptworker.util.get-_hashkwarghash_typetohash_alg - renamed
firefox_cot_schema.jsontocot_v1_schema.json; also, the schema has changed. - the chain of trust schema has changed to version 1.
- pass a
tasktoscriptworker.task.reclaimTaskand exit the loop if it doesn't matchcontext.task - we now verify that
context.taskis the same task we scheduledreclaim_taskfor.
- Removed
get_temp_creds_from_file, since we're not writingtemp_credsto disk anymore - Removed
scriptworker.task.get_temp_queue, since we already havecontext.temp_queue - Removed
pytest-asynciodependency. It doesn't play well withpytest-xdist. - Removed
scriptworker.task.get_temp_queue; we can usecontext.temp_queue - Removed
pytest-asynciousage to try to usepytest-xdist, then turned that back off when it conflicted with the event loop
- added
firefox_cot_schema.jsonfor firefox chain of trust - added gpg signature creation + verification
- added chain of trust generation
- added
scriptworker.task.worst_levelfunction for determining overall result of task
unsignedArtifactsurl paths are now unquoted, so%2Fbecomes/validate_task_schemarenamed tovalidate_json_schema- write task log files directly to the
task_log_dir; this should be a subdir ofartifact_dirif we want them uploaded. ScriptWorkerExceptionnow has anexit_codeof 5 (internal-error);ScriptWorkerRetryExceptionnow has anexit_codeof 4 (resource-unavailable)- moved
testsdirectory toscriptworker/test
- Functions in
test_confignow ignore existingTASKCLUSTER_env vars for a clean testing environment raise_future_exceptionsno longer throws an exception for an empty list of tasks- Updated
CONTRIBUTING.rstto reflect reality
- add
scriptworker.utils.filepaths_in_dir - added setup.cfg for wheels
- added
scriptworker.client.validate_artifact_url. - added python-gnupg dependency
- test files no longer use a test class.
upload_artifactsnow uploads files in subdirectories ofartifact_dir, preserving the relative paths.
- Removed unneeded creds file generation.
- Added
requirements-*.txtfiles. The-prodfiles have pinned versions+hashes, viareqhash. - Added
raise_future_exceptionsfunction from signingscript
- Upload artifacts to public/env/
filename. - Enabled coverage branches in testing.
- Enabled environment variable configuration for credentials+workerid
- Moved source repo to mozilla-releng/scriptworker
- No longer prepend stderr log lines with ERROR
- Reduced debug logging
- Tweaked the config defaults to be a bit more sane.
- Fixed an exception where automated processes without HOME set would fail to launch scriptworker
- Removed
scheduler_idfrom config; it's only used to schedule integration tests.
upload_artifactsnow specifies acontent_typeoftext/plainfor the task logfiles, to fix linux uploading.
- Context now has a
claim_taskproperty that stores the output fromclaimTask.Context.taskis now the task definition itself. scriptworker.utils.requestnow takes additional kwargs to be a more versatile function.
- bundled version.json
- CHANGELOG.md
- Pinned
pytest-asyncioto 0.3.0 because 0.4.1 hits closed event loop errors.