Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cot_verify does not download actions.json artifact from other action tasks #580

Open
ahal opened this issue Dec 20, 2022 · 1 comment
Open

cot_verify does not download actions.json artifact from other action tasks #580

ahal opened this issue Dec 20, 2022 · 1 comment

Comments

@ahal
Copy link
Contributor

ahal commented Dec 20, 2022

This means that if you have an action task that was created from the graph of another action task, CoT will fail as the actions.json artifact will be missing from the file system.

This was borne out of an assumtion that actions would only be triggered from on-push Decision tasks, and not other action graphs. I hit it when I was attempting to rebuild cached tasks for a chain of trust rotation and retriggered a task that was part of a release-promotion graph. So this task had a parent that was an action (retrigger), whose parent was also an action (release-promotion).

This case is easily worked around by using add-new-jobs from an on-push Decision graph, so it's not hugely important to fix. Though I do think it would be nice to make this edge case work in case anyone else runs into it in the future.
@jcristau
Copy link
Contributor

jcristau commented Jul 5, 2023

We hit this again yesterday, where a release promotion action was kicked off from a previous relpro phase's task group instead of the on-push task group. One big issue IMO is that the failure mode is pretty cryptic, failing while running (in this case) a signing task downstream of the relpro action, with:

INFO:scriptworker.cot.verify:Verifying action e6Dn2uEgSqycFJ508E6N6Q as a action task...
INFO:scriptworker.cot.verify:Verifying action e6Dn2uEgSqycFJ508E6N6Q definition...
Traceback (most recent call last):
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/utils.py", line 566, in load_json_or_yaml
    with open(string, "r") as fh:
         ^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpghpfb_0_/work/cot/ZlhkJITWQyiQ5Cpar-M1ow/public/actions.json'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/venv/bin/verify_cot", line 8, in <module>
    sys.exit(verify_cot_cmdln())
             ^^^^^^^^^^^^^^^^^^
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 2108, in verify_cot_cmdln
    event_loop.run_until_complete(_async_verify_cot_cmdln(opts, tmp))
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 2061, in _async_verify_cot_cmdln
    await verify_chain_of_trust(cot, check_task=check_task)
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 2025, in verify_chain_of_trust
    await verify_task_types(chain)
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 1783, in verify_task_types
    await valid_task_types[task_type](chain, obj)
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 1707, in verify_parent_task
    await verify_parent_task_definition(chain, link)
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 1569, in verify_parent_task_definition
    jsone_context, tmpl = await get_jsone_context_and_template(chain, parent_link, decision_link, tasks_for)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 1536, in get_jsone_context_and_template
    jsone_context, tmpl = await get_action_context_and_template(chain, parent_link, decision_link)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/cot/verify.py", line 1490, in get_action_context_and_template
    all_actions = load_json_or_yaml(actions_path, is_path=True)["actions"]
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcristau/src/github.com/mozilla-releng/scriptworker/src/scriptworker/utils.py", line 574, in load_json_or_yaml
    raise exception(message % repl_dict)
scriptworker.exceptions.ScriptWorkerTaskException: Failed to load json: [Errno 2] No such file or directory: '/tmp/tmpghpfb_0_/work/cot/ZlhkJITWQyiQ5Cpar-M1ow/public/actions.json'

If we don't want to support this then we should make actions explicitly fail when their parent is another action, instead of breaking CoT verification later when checking a third task.

jcristau added a commit to jcristau/scriptworker that referenced this issue Jul 5, 2023
@jcristau
wip: cot_verify: download actions.json artifact from action tasks
9d50bd8 
If an action task's parent is another action task, we'll need to check
it against that parent task's actions.json.

Fixes mozilla-releng#580
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahal @jcristau