-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cot_verify does not download actions.json
artifact from other action tasks
#580
Comments
We hit this again yesterday, where a release promotion action was kicked off from a previous relpro phase's task group instead of the on-push task group. One big issue IMO is that the failure mode is pretty cryptic, failing while running (in this case) a signing task downstream of the relpro action, with:
If we don't want to support this then we should make actions explicitly fail when their parent is another action, instead of breaking CoT verification later when checking a third task. |
If an action task's parent is another action task, we'll need to check it against that parent task's actions.json. Fixes mozilla-releng#580
This means that if you have an action task that was created from the graph of another action task, CoT will fail as the
actions.json
artifact will be missing from the file system.This was borne out of an assumtion that actions would only be triggered from on-push Decision tasks, and not other action graphs. I hit it when I was attempting to rebuild cached tasks for a chain of trust rotation and retriggered a task that was part of a
release-promotion
graph. So this task had a parent that was an action (retrigger), whose parent was also an action (release-promotion).This case is easily worked around by using
add-new-jobs
from anon-push
Decision graph, so it's not hugely important to fix. Though I do think it would be nice to make this edge case work in case anyone else runs into it in the future.The text was updated successfully, but these errors were encountered: