Remove the use of deprecated jwt addon for TravisCI #9903
Comments
|
I believe we use Travis' JWT (JSON Web Tokens) addon to store the secrets for Sauce Labs. See this commit 66a5cc8. We need to find an alternative, as the official announcement says:
which means all the Sauce jobs (Edge & Safari) will no longer work after April 17. The post also says:
so... what now? cc @foolip |
|
I guess the setup with short-lived tokens made sense for Sauce because they don't trust their users' input anyway, so at worst someone could get some free access to Sauce. But, yeah, that's weird, I can see why it's going away. I think we have to move to a model where the secret isn't available to Travis either, because it (1) won't work for PRs created from other repos and (2) the many people with write access to the repo would have access to the (long lived) secret. Travis already treats everything as untrusted, so Chrome and Firefox will be fine, and there's no token for https://pulls.web-platform-tests.org/, that uses web hooks. To get something like Sauce working again:
The last part would require a security token, which is why the previous step can't be trusted. @lukebjerring @mdittmer @kereliuk, WDYT? |
|
To resolve the immediate problem, we should just turn off the Sauce runs. They take up time, aren't blocking, and generally are too noisy to actually take seriously for investigating regressions. I will admit it was useful once, though: Don't know if it led to a bug that wasn't already fixed in Edge, but it might have. I'll send a PR to get rid of the Sauce runs right away and ask @jgraham for review. |
Sauce cannot be kept working beyond April 17, see #9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work.
Sauce cannot be kept working beyond April 17, see #9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work.
|
Right, the problem with Travis is that there's no way to keep infromation private in a way that ensures it can't be accessed by someone who can change the job configuration, which is everyone since it's fully defined in-tree. That's why only in-repo PRs get access to secure varaibles. An alternative wouldn't involve travis at all; it would just learn about the PR from a webhook, do whatever, and then set a status on the commit. The problem with such a setup is merely that it's on closed infrastructure so it depends on ongoing maintainance by people with access to that infrastructure. That's already a problem we have with wpt.fyi and the PR dashboard, but it is a problem. |
|
Setting up an alternative would indeed run into those kinds of problems and require people to be responsive to breakage. In an ideal state, the browser-neutral bits would be built in the open and maintained by the same stakeholder who effectively maintain wpt infra now, and any browser-specific bits that aren't just open infrastructure would have to be maintained by the browser teams, with some clear expectation or SLA. |
|
@jdm, thanks for reporting! If you didn't we might have had a bad day on April 17 with all PRs blocked until we could figure it out... |
Automatic update from web-platform-testsRemove the Sauce Travis jobs Sauce cannot be kept working beyond April 17, see web-platform-tests/wpt#9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work. wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954
…ility runs (including JWT), a=testonly Automatic update from web-platform-testsRemove the rest of Sauce support for stability runs (including JWT) (#9977) Fixes web-platform-tests/wpt#9903. wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977
Automatic update from web-platform-testsRemove the Sauce Travis jobs Sauce cannot be kept working beyond April 17, see web-platform-tests/wpt#9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work. wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 UltraBlame original commit: 69d95f3b3edbfe347b1c3a55bc7ff12931c6cef7
…ility runs (including JWT), a=testonly Automatic update from web-platform-testsRemove the rest of Sauce support for stability runs (including JWT) (#9977) Fixes web-platform-tests/wpt#9903. wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 UltraBlame original commit: 3582e94198299a6c64414d17a79d9b6343fd1849
Automatic update from web-platform-testsRemove the Sauce Travis jobs Sauce cannot be kept working beyond April 17, see web-platform-tests/wpt#9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work. wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 UltraBlame original commit: 69d95f3b3edbfe347b1c3a55bc7ff12931c6cef7
…ility runs (including JWT), a=testonly Automatic update from web-platform-testsRemove the rest of Sauce support for stability runs (including JWT) (#9977) Fixes web-platform-tests/wpt#9903. wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 UltraBlame original commit: 3582e94198299a6c64414d17a79d9b6343fd1849
Automatic update from web-platform-testsRemove the Sauce Travis jobs Sauce cannot be kept working beyond April 17, see web-platform-tests/wpt#9903. Given that they are not very reliable and take up Travis capacity, and that we don't have a replacement for this that can be put in place before April 17, it seems best to turn it off right away. The code is left in place until this is determined to work. wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 wpt-commits: 8806dfd8e21f37e995b220aa781e548c3ffc4782 wpt-pr: 9954 UltraBlame original commit: 69d95f3b3edbfe347b1c3a55bc7ff12931c6cef7
…ility runs (including JWT), a=testonly Automatic update from web-platform-testsRemove the rest of Sauce support for stability runs (including JWT) (#9977) Fixes web-platform-tests/wpt#9903. wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 wpt-commits: 18ce941a0840daaa8a17fbe54449c6acc092b442 wpt-pr: 9977 UltraBlame original commit: 3582e94198299a6c64414d17a79d9b6343fd1849
From a recent TravisCI build:
I don't know what it's used for, but it looks like we should stop using it.
The text was updated successfully, but these errors were encountered: