docs: add some info about CoT verification expectations w.r.t decisio…

…n and action tasks
mozilla-releng · Apr 25, 2023 · a29194b · a29194b
1 parent b895fdd
commit a29194b
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/docs/cot_verify.rst b/docs/cot_verify.rst
@@ -64,4 +64,13 @@ Scriptworker:
 
 Once all verification passes, it launches the task script.  If chain of trust verification fails, it exits before launching the task script.
 
+Extra data and assumptions
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Some of the information necessary for rebuilding decision task definitions can't be independently re-generated at verification time; for these cases, we rely on additional data in the original task definition itself.  That means the project's `.taskcluster.yml` needs to store that information for CoT to find it, and that `.taskcluster.yml` shouldn't make security-relevant decisions based on it.  These bits are:
+
+- in action tasks, `task.extra.action.context` should contain the action's `taskGroupId`, `taskId` and `input`, plus any other bits of context used by `.taskcluster.yml`, e.g. `clientId`; `task.extra.parent` should contain its parent task's `taskId` (pointing at either a decision task or another action task).
+- in decision tasks for cron jobs, `task.extra.cron` should be a copy of the `cron` object passed to the task, containing `task_id`, `job_name`, `job_symbol` and `quoted_args`
+- in all cases, `task.extra.tasks_for` contains the `tasks_for` value.
+
 .. _json-e: https://github.com/taskcluster/json-e