Bug 1941649 - Grant generic action scopes for mozilla trust domain …
#260
Conversation
|
I'm going to leave this in draft until others on the team have had a chance to object. |
ahal
force-pushed
the
ahal/push-kotkynrppzqy
branch
from
ce7c566 to
fc599c9
Compare
There was a problem hiding this comment.
I had a look at Gecko actions that are using the generic permission. The only one that seemed like it ought not to be usable by anyone with L3 is https://searchfox.org/mozilla-central/source/taskcluster/gecko_taskgraph/actions/openh264.py, which builds and signs the openh264 plugin. It's not like that actually ships anything though, so I'm not terribly concerned about it.
rebuild_cached_builds might arguably need to be more protected as well, but that's more for footgun reasons than anything else, and I can still see a fairly strong argument for keeping it generic to keep a wide array of people that can help unstick cached task issues.
|
Just to clarify, we already grant the generic Gecko permissions to everyone with L3 (I think you knew that). I agree that those two should probably have their own scope though. |
…scm_level_*