Taskcluster command line interface (CLI)¶
Difference between actions and CLI¶
Taskcluster action hooks, as implemented in taskgraph, are one way to perform similar tasks as the CLI, especially in regard to cancelling, rerunning, or retriggering tasks.
They differ in a few ways:
You need a different set of scopes to trigger action hooks than to cancel, rerun, or retrigger tasks directly. For action hooks, you might need a scope like
hooks:trigger-hook:project-gecko/in-tree-action-1-generic/*. For the CLI, you might need a scope like
Actions use the logic supplied in
taskgraph. The CLI hits the Taskcluster API directly. Oftentimes this can result in similar behavior. But, for example, Github PRs from a non-privileged fork might not allow for rerunning, retriggering, or cancelling tasks through action hooks, while someone with scopes may be able to via the CLI.
(A related point: permissions are more granular for action hooks; the CLI may allow for more broad access.)
Tasks generated through action hooks can be verifiable by the Chain of Trust (CoT). Tasks generated through, e.g.,
taskcluster task retrigger -- TASKIDare not. (This CLI call creates a new task without an action or decision task, which prevents CoT from verifying.)
taskcluster task rerun -- TASKIDdoesn’t generate a new task but merely increments the
runId, that task should remain CoT-verifiable if it was CoT-verifiable originally.)
Taskcluster CLI best practices¶
Principle of Least Privilege¶
We should follow the principle of least privilege. Although Releng has effective root on the FirefoxCI cluster, let’s not perform everyday actions using root privileges. Setting short expiries and the minimal amount of scopes needed to perform a given task helps avoid a) leaking scopes that can cause a lot of damage, and/or b) accidentally running the wrong command in a shell and doing damage to the production cluster.
By setting aliases in our shells, we can perform common tasks without having to memorize the syntax every time. Here are a few aliases that may be helpful:
# To set your root URL to the production firefoxci or stage cluster tc-fxci='export TASKCLUSTER_ROOT_URL=https://firefox-ci-tc.services.mozilla.com/' tc-staging='export TASKCLUSTER_ROOT_URL=https://stage.taskcluster.nonprod.cloudops.mozgcp.net/' # To log out explicitly tc-logout='unset TASKCLUSTER_CLIENT_ID; unset TASKCLUSTER_ACCESS_TOKEN' # Rerunning and cancelling tasks are a common request/need in releaseduty; # grant this set of scopes for 1 hour tc-relduty=$'eval `TASKCLUSTER_ROOT_URL=https://firefox-ci-tc.services.mozilla.com/ taskcluster signin --expires 1h -s "queue:rerun-task:*\nqueue:cancel-task:*"`' # Up to root privs: only grant these for 15min tc-signin='eval `TASKCLUSTER_ROOT_URL=https://firefox-ci-tc.services.mozilla.com/ taskcluster signin --expires 15m "$@"`'