From 0ff6dc7af43fc4e30f53ba375b6ea856ed4d127a Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Fri, 30 Jan 2026 15:46:06 +0100 Subject: [PATCH] ci: switch PR policy to public_restricted Skip tasks that require access to a secret for untrusted PRs. --- .taskcluster.yml | 2 +- taskcluster/kinds/tox/kind.yml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.taskcluster.yml b/.taskcluster.yml index e512082c..6a11f3a6 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -8,7 +8,7 @@ version: 1 reporting: checks-v1 autoCancelPreviousChecks: true policy: - pullRequests: collaborators + pullRequests: public_restricted tasks: - $let: trustDomain: "scriptworker" diff --git a/taskcluster/kinds/tox/kind.yml b/taskcluster/kinds/tox/kind.yml index 4168e696..c2e8b462 100644 --- a/taskcluster/kinds/tox/kind.yml +++ b/taskcluster/kinds/tox/kind.yml @@ -14,7 +14,7 @@ transforms: task-defaults: description: "{name} tox-{targets}" - run-on-tasks-for: ["action", "github-pull-request", "github-push"] + run-on-tasks-for: ["action", "github-pull-request", "github-pull-request-untrusted", "github-push"] attributes: code-review: true worker-type: b-linux @@ -59,6 +59,7 @@ tasks: targets: py311-cot env: NO_CREDENTIALS_TESTS: "1" + run-on-tasks-for: ["action", "github-pull-request", "github-push"] scopes: - secrets:get:repo:github.com/mozilla-releng/scriptworker:github py312-cot: @@ -66,6 +67,7 @@ tasks: targets: py312-cot env: NO_CREDENTIALS_TESTS: "1" + run-on-tasks-for: ["action", "github-pull-request", "github-push"] scopes: - secrets:get:repo:github.com/mozilla-releng/scriptworker:github py313-cot: @@ -73,5 +75,6 @@ tasks: targets: py313-cot env: NO_CREDENTIALS_TESTS: "1" + run-on-tasks-for: ["action", "github-pull-request", "github-push"] scopes: - secrets:get:repo:github.com/mozilla-releng/scriptworker:github