builddecisionscript: use temporary task credentials to create tasks and trigger hooks

jcristau · jcristau · commit cbecacb54caf · 2026-05-19T17:07:35.000+02:00
This relies on a change in scriptworker to write temp credentials to
disk so we can pick them up and use the task's scopes.
diff --git a/builddecisionscript/src/builddecisionscript/cron/action.py b/builddecisionscript/src/builddecisionscript/cron/action.py
@@ -7,14 +7,15 @@
 import taskcluster
 
 from ..util.http import SESSION
+from ..util.taskcluster import get_taskcluster_options
 from ..util.trigger_action import render_action
 
 logger = logging.getLogger(__name__)
 
 
 def find_decision_task(repository, revision):
     """Given repository and revision, find the taskId of the decision task."""
-    index = taskcluster.Index(taskcluster.optionsFromEnvironment(), session=SESSION)
+    index = taskcluster.Index(get_taskcluster_options(), session=SESSION)
     decision_index = f"{repository.trust_domain}.v2.{repository.project}.revision.{revision}.taskgraph.decision"
     logger.info("Looking for index: %s", decision_index)
     task_id = index.findTask(decision_index)["taskId"]
diff --git a/builddecisionscript/src/builddecisionscript/decision.py b/builddecisionscript/src/builddecisionscript/decision.py
@@ -12,6 +12,7 @@
 import taskcluster
 
 from .util.http import SESSION
+from .util.taskcluster import get_taskcluster_options
 
 logger = logging.getLogger(__name__)
 
@@ -49,5 +50,5 @@ def display(self):
 
     def submit(self):
         logger.info("Task Id: %s", self.task_id)
-        queue = taskcluster.Queue(taskcluster.optionsFromEnvironment(), session=SESSION)
+        queue = taskcluster.Queue(get_taskcluster_options(), session=SESSION)
         queue.createTask(self.task_id, self.task_payload)
diff --git a/builddecisionscript/src/builddecisionscript/util/taskcluster.py b/builddecisionscript/src/builddecisionscript/util/taskcluster.py
@@ -0,0 +1,17 @@
+# This Source Code Form is subject to the terms of the Mozilla Public License,
+# v. 2.0. If a copy of the MPL was not distributed with this file, You can
+# obtain one at http://mozilla.org/MPL/2.0/.
+
+import json
+import os
+
+def get_taskcluster_options():
+    """Return options for a Taskcluster client, reading credentials from the
+    file written by scriptworker and updated on each reclaim."""
+    creds_path = os.environ["TASKCLUSTER_CREDENTIALS_FILE"]
+    with open(creds_path) as f:
+        credentials = json.load(f)
+    return {
+        "rootUrl": os.environ["TASKCLUSTER_ROOT_URL"],
+        "credentials": credentials,
+    }
diff --git a/builddecisionscript/src/builddecisionscript/util/trigger_action.py b/builddecisionscript/src/builddecisionscript/util/trigger_action.py
@@ -22,6 +22,7 @@
 
 from . import scopes
 from .http import SESSION
+from .taskcluster import get_taskcluster_options
 
 logger = logging.getLogger(__name__)
 
@@ -62,8 +63,8 @@ def _filter_relevant_actions(actions_json, original_task):
 
 
 def _check_decision_task_scopes(decision_task_id, hook_group_id, hook_id):
-    queue = taskcluster.Queue(taskcluster.optionsFromEnvironment(), session=SESSION)
-    auth = taskcluster.Auth(taskcluster.optionsFromEnvironment(), session=SESSION)
+    queue = taskcluster.Queue(get_taskcluster_options(), session=SESSION)
+    auth = taskcluster.Auth(get_taskcluster_options(), session=SESSION)
     decision_task = queue.task(decision_task_id)
     decision_task_scopes = auth.expandScopes({"scopes": decision_task["scopes"]})["scopes"]
     in_tree_scope = f"in-tree:hook-action:{hook_group_id}/{hook_id}"
@@ -77,7 +78,7 @@ def _check_decision_task_scopes(decision_task_id, hook_group_id, hook_id):
 
 
 def render_action(*, action_name, task_id, decision_task_id, action_input):
-    queue = taskcluster.Queue(taskcluster.optionsFromEnvironment(), session=SESSION)
+    queue = taskcluster.Queue(get_taskcluster_options(), session=SESSION)
 
     logger.debug("Fetching actions.json...")
     actions_url = queue.buildUrl("getLatestArtifact", decision_task_id, "public/actions.json")
@@ -141,7 +142,7 @@ def display(self):
         )
 
     def submit(self):
-        hooks = taskcluster.Hooks(taskcluster.optionsFromEnvironment(), session=SESSION)
+        hooks = taskcluster.Hooks(get_taskcluster_options(), session=SESSION)
         logger.info("Triggering hook %s/%s", self.hook_group_id, self.hook_id)
         result = hooks.triggerHook(self.hook_group_id, self.hook_id, self.hook_payload)
         logger.info("Task Id: %s", result["status"]["taskId"])
diff --git a/builddecisionscript/tests/test_taskcluster.py b/builddecisionscript/tests/test_taskcluster.py
@@ -0,0 +1,26 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import json
+import os
+
+import pytest
+
+from builddecisionscript.util.taskcluster import get_taskcluster_options
+
+
+def test_get_taskcluster_options(tmp_path, monkeypatch):
+    credentials = {"clientId": "test-client", "accessToken": "test-token"}
+    creds_file = tmp_path / "credentials.json"
+    creds_file.write_text(json.dumps(credentials))
+
+    monkeypatch.setenv("TASKCLUSTER_CREDENTIALS_FILE", str(creds_file))
+    monkeypatch.setenv("TASKCLUSTER_ROOT_URL", "https://tc.example.com")
+
+    result = get_taskcluster_options()
+
+    assert result == {
+        "rootUrl": "https://tc.example.com",
+        "credentials": credentials,
+    }
