Restrict googleplay scopes.

Also rename the current `release` and `nightly` branch aliases to `all-release-branches` and `all-nightly-branches`, because they are a superset of the repos for those releases. Restricting `release`, `beta`, and `nightly` to the actual repos used for those release trains will let us avoid pushing the wrong apk to the wrong product (though the product name helps avoid that as well).
escapewindow · Jan 31, 2017 · 50dbec9 · 50dbec9
1 parent 4060715
commit 50dbec9
Showing 1 changed file with 22 additions and 11 deletions.
diff --git a/scriptworker/constants.py b/scriptworker/constants.py
@@ -129,9 +129,9 @@
 
     # scriptworker identification
     "scriptworker_worker_types": (
-        "pushapk-v1",
         "balrogworker-v1",
         "beetmoverworker-v1",
+        "pushapk-v1",
         "signing-linux-v1",
     ),
     "scriptworker_provisioners": (
@@ -176,14 +176,15 @@
     # Map scopes to restricted-level
     'cot_restricted_scopes': frozendict({
         'firefox': frozendict({
-            'project:releng:balrog:release': 'release',
-            'project:releng:beetmover:release': 'release',
-            'project:releng:pushapk:release': 'release',
-            'project:releng:signing:cert:release-signing': 'release',
-            'project:releng:balrog:nightly': 'nightly',
-            'project:releng:beetmover:nightly': 'nightly',
-            'project:releng:pushapk:nightly': 'nightly',
-            'project:releng:signing:cert:nightly-signing': 'nightly',
+            'project:releng:balrog:release': 'all-release-branches',
+            'project:releng:beetmover:release': 'all-release-branches',
+            'project:releng:googleplay:release': 'release',
+            'project:releng:signing:cert:release-signing': 'all-release-branches',
+            'project:releng:googleplay:beta': 'beta',
+            'project:releng:googleplay:aurora': 'aurora',
+            'project:releng:balrog:nightly': 'all-nightly-branches',
+            'project:releng:beetmover:nightly': 'all-nightly-branches',
+            'project:releng:signing:cert:nightly-signing': 'all-nightly-branches',
         })
     }),
     # Map restricted-level to trees
@@ -193,20 +194,30 @@
             # Allow aurora for staging betas.
             # XXX remove /projects/jamun when we no longer release firefox
             #     from it
-            'release': (
+            'all-release-branches': (
                 "/releases/mozilla-aurora",
                 "/releases/mozilla-beta",
                 "/releases/mozilla-release",
                 "/releases/mozilla-esr45",
                 "/releases/mozilla-esr52",
                 "/projects/jamun",
             ),
+            # Limit things like pushapk to just these branches
+            'release': (
+                "/releases/mozilla-release",
+            ),
+            'beta': (
+                "/releases/mozilla-beta",
+            ),
+            'aurora': (
+                "/releases/mozilla-aurora",
+            ),
             # Which repos can do nightly signing?
             # XXX remove /projects/date when taskcluster nightly migration is
             #     tier1 and landed on mozilla-central
             # XXX remove /projects/jamun when we no longer release firefox
             #     from it
-            'nightly': (
+            'all-nightly-branches': (
                 "/mozilla-central",
                 "/releases/mozilla-unified",
                 "/releases/mozilla-aurora",