.taskcluster.yml

version: 1
policy:
  pullRequests: collaborators
tasks:
  $let:

    project_name:
      Lithium

    matrix:
      language: python
      secrets:
        - type: env
          secret: project/fuzzing/codecov-lithium
          name: CODECOV_TOKEN
          key: token
      script:
        - bash
        - '-xec'
        - tox; tox -e codecov
      jobs:
        include:
          - name: tests python 3.9
            version: "3.9"
            env:
              TOXENV: py39,lint
          - name: tests python 3.10
            version: "3.10"
            env:
              TOXENV: py310,lint
          - name: tests python 3.11
            version: "3.11"
            env:
              TOXENV: py311,lint
          - name: tests python 3.12
            version: "3.12"
            env:
              TOXENV: py312,lint
          - name: PyPI upload
            version: "3.9"
            env:
              TOXENV: pypi
            script:
              - tox
            when:
              release: true
              all_passed: true
            secrets:
              - type: env
                secret: project/fuzzing/pypi-lithium
                name: TWINE_USERNAME
                key: username
              - type: env
                secret: project/fuzzing/pypi-lithium
                name: TWINE_PASSWORD
                key: password

  in:
    $if: >
      (tasks_for == "github-push")
      || (tasks_for == "github-pull-request" && event["action"] in ["opened", "reopened", "synchronize"])
      || (tasks_for == "github-release" && event["action"] in ["published"])
    then:
      - created: {$fromNow: ''}
        deadline: {$fromNow: '1 hour'}
        provisionerId: proj-fuzzing
        workerType: decision
        payload:
          features:
            taskclusterProxy: true
          maxRunTime: 3600
          env:
            PROJECT_NAME: ${project_name}
            CI_MATRIX: {$json: {$eval: matrix}}
            GITHUB_EVENT: {$json: {$eval: event}}
            GITHUB_ACTION: ${tasks_for}
            TASKCLUSTER_NOW: ${now}
          command:
            - - bash
              - "-exc"
              - "-o"
              - "pipefail"
              - >
                curl --retry 5 --connect-timeout 25 -sSfL --write-out "%{stderr}Resolved orion-decision to %{url_effective}\n"
                "$TASKCLUSTER_PROXY_URL/api/index/v1/task/project.fuzzing.orion.orion-decision.master/artifacts/public/orion-decision.tar.zst"
                | zstdcat | podman load; podman run --rm -e TASK_ID -e RUN_ID -e TASKCLUSTER_ROOT_URL --add-host=taskcluster:127.0.0.1 --net=host
                -e TASKCLUSTER_PROXY_URL=http://localhost:80 -e PROJECT_NAME -e CI_MATRIX -e GITHUB_EVENT -e GITHUB_ACTION -e TASKCLUSTER_NOW
                mozillasecurity/orion-decision:latest ci-decision -v
        scopes:
          - queue:create-task:highest:proj-fuzzing/ci
          - queue:create-task:highest:proj-fuzzing/ci-*
          - queue:scheduler-id:taskcluster-github
          - secrets:get:project/fuzzing/codecov-lithium
          - secrets:get:project/fuzzing/pypi-lithium
        metadata:
          name: ${project_name} CI decision
          description: Schedule CI tasks for ${project_name}
          owner: truber@mozilla.com
          source: https://github.com/MozillaSecurity/orion