Bug 1471004 - mac-signing transform logic + config. r=tomprince, a=jc…

…ristau This moves mac signing tasks to the notarization/iscript pool. It also adds support for pkg installers and notarization. Differential Revision: https://phabricator.services.mozilla.com/D33857 --HG-- extra : source : 0da56de412db9414022b954d7f147eb280a6a53c extra : intermediate-source : 682939872bee09cc2f0f405a8f294df243ccd0f8 extra : histedit_source : aceb963816787073252a093cefb989061f18b8a7
trman · Jun 5, 2019 · c55f36a · c55f36a
1 parent cd102f0
commit c55f36a
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 7 deletions.
diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml
@@ -401,3 +401,12 @@ workers:
             implementation: generic-worker
             os: windows
             worker-type: 'gecko-{alias}'
+
+mac-notarization:
+    mac-behavior:
+        by-release-type:
+            nightly.*: mac_notarize
+            beta.*: mac_notarize
+            esr.*: mac_notarize
+            release.*: mac_notarize
+            default: mac_sign_and_pkg
diff --git a/taskcluster/taskgraph/config.py b/taskcluster/taskgraph/config.py
@@ -88,6 +88,11 @@
             }
         },
     },
+    Required('mac-notarization'): {
+        Required('mac-behavior'):
+            optionally_keyed_by('platform', 'release-type',
+                                Any('mac_notarize', 'mac_pkg', 'mac_sign', 'mac_sign_and_pkg')),
+    },
 })
 
 

diff --git a/taskcluster/taskgraph/transforms/signing.py b/taskcluster/taskgraph/transforms/signing.py
@@ -10,6 +10,7 @@
 from taskgraph.loader.single_dep import schema
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
+from taskgraph.util.keyed_by import evaluate_keyed_by
 from taskgraph.util.schema import taskref_or_string
 from taskgraph.util.scriptworker import (
     add_scope_prefix,
@@ -134,12 +135,11 @@ def make_task_description(config, jobs):
             build_platform, is_nightly, config,
             job_release_type=dep_job.attributes.get('release-type')
         )
-        worker_type = get_worker_type_for_scope(config, signing_cert_scope)
-
+        worker_type_alias = get_worker_type_for_scope(config, signing_cert_scope)
+        mac_behavior = None
         task = {
             'label': label,
             'description': description,
-            'worker-type': worker_type,
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': job['upstream-artifacts'],
                        'max-run-time': job.get('max-run-time', 3600)},
@@ -152,6 +152,25 @@ def make_task_description(config, jobs):
             'shipping-product': job.get('shipping-product'),
             'shipping-phase': job.get('shipping-phase'),
         }
+
+        if 'macosx' in build_platform:
+            assert worker_type_alias.startswith("linux-"), \
+                (
+                    "Make sure to adjust the below worker_type_alias logic for "
+                    "mac if you change the signing workerType aliases!"
+                )
+            worker_type_alias = worker_type_alias.replace("linux-", "mac-")
+            mac_behavior = evaluate_keyed_by(
+                config.graph_config['mac-notarization']['mac-behavior'],
+                'mac behavior',
+                {
+                    'release-type': config.params['release_type'],
+                    'platform': build_platform,
+                },
+            )
+            task['worker']['mac-behavior'] = mac_behavior
+
+        task['worker-type'] = worker_type_alias
         if treeherder:
             task['treeherder'] = treeherder
         if job.get('extra'):

diff --git a/taskcluster/taskgraph/transforms/task.py b/taskcluster/taskgraph/transforms/task.py
@@ -877,6 +877,11 @@ def build_generic_worker_payload(config, task, task_def):
         # Signing formats to use on each of the paths
         Required('formats'): [basestring],
     }],
+
+    # behavior for mac iscript
+    Optional('mac-behavior'): Any(
+        "mac_notarize", "mac_sign", "mac_sign_and_pkg", "mac_pkg",
+    ),
 })
 def build_scriptworker_signing_payload(config, task, task_def):
     worker = task['worker']
@@ -885,15 +890,16 @@ def build_scriptworker_signing_payload(config, task, task_def):
         'maxRunTime': worker['max-run-time'],
         'upstreamArtifacts':  worker['upstream-artifacts']
     }
-
+    if worker.get('mac-behavior'):
+        task_def['payload']['behavior'] = worker['mac-behavior']
     artifacts = set(task.get('release-artifacts', []))
     for upstream_artifact in worker['upstream-artifacts']:
         for path in upstream_artifact['paths']:
             artifacts.update(get_signed_artifacts(
                 input=path,
                 formats=upstream_artifact['formats'],
+                behavior=worker.get('mac-behavior'),
             ))
-
     task['release-artifacts'] = list(artifacts)
 
 

diff --git a/taskcluster/taskgraph/util/signed_artifacts.py b/taskcluster/taskgraph/util/signed_artifacts.py
@@ -99,13 +99,16 @@ def _strip_widevine_for_partners(artifacts_specifications):
     return artifacts_specifications
 
 
-def get_signed_artifacts(input, formats):
+def get_signed_artifacts(input, formats, behavior=None):
     """
     Get the list of signed artifacts for the given input and formats.
     """
     artifacts = set()
     if input.endswith('.dmg'):
-        artifacts.add(input.replace('.dmg', '.tar.gz'))
+        if behavior != "mac_pkg":
+            artifacts.add(input.replace('.dmg', '.tar.gz'))
+        if behavior and behavior != "mac_sign":
+            artifacts.add(input.replace('.dmg', '.pkg'))
     else:
         artifacts.add(input)
     if 'autograph_gpg' in formats: