mozilla-releng / adhoc-signing Goto Github PK

I think these work, but ideally we'd have some sort of warning that if we're running macapp, we need to define some of these. And if we're not running macapp signing, none of these are valid. We could do this in a number of ways:

• define a schema for macapp vs non-macapp
• put these options in a format-specific dictionary that we define schemas for for each signing format
• put these three if statements under an if format_ == "macapp": block, or similar

We don't necessarily need to block on this but we may want to track the issue at least.

Originally posted by @escapewindow in #23 (comment)

Let's:

• move the manifests to a private repo
• support building the fetch tasks on-change/PR on that repo
• support pulling those artifacts from non-public URLs. The current thought is setting up a private S3 bucket. Releng can upload artifacts there, and the automation can have a read-only token.

Let's get a repo-level review + branch protections set before we use this repo for real.

We added dep-signing as a PR task in 45117e2 . We didn't make it a cached task, which means that every PR runs a dep-signing task for every signing manifest, and that seems to pull in the fetch tasks as a non-soft-dependency.

Let's make the dep-signing kind cached, with the same resources as their upstream fetch task.

Ideally we should have shipit integration, and signoffs, for adhoc relpro.

Braindumping an idea I had before I forget.

The current adhoc-signing mechanism is a bit clunky. CI generates dep signing tasks for every manifest in the signing-manifests directory. Then you need to manually trigger the signing request and fill in the manifest you desire. In my experience, we almost always want to do only a single signing request at a time.

I propose we:

1. Create a templates dir and a <name>.tmpl.yml file for each use case we want to support.
2. Create a generate-signing-manifest script which takes a template name and some other metadata (description, file size, etc) as input, and creates a valid manifest file at the repo root. Notably there will be only a single file, and re-running this script will clobber whatever was previously there.
3. Refactor the CI to run the signing task that corresponds to the manifest at the repo root and delete the Promote an Adhoc Signature action. This does move access control away from scopes and towards Github roles. Maybe this is a sticking point, but in practice only Releng has permission to the adhoc-signing repo anyway.