Fix trust level in decision task

.taskcluster.yml

@@ -43,20 +43,15 @@ tasks:
       then: ${event.pull_request.base.repo.full_name}
       else: ${event.repository.full_name}
 
-    is_repo_trusted:
+    trust_level:
       # Pull requests on main repository can't be trusted because anybody can open a PR on it, without a review
       $if: 'tasks_for in ["github-push", "github-release", "cron"] && event.repository.html_url == "https://github.com/mozilla-mobile/fenix"'
-      then: true
-      else: false
+      then: 3
+      else: 1
   in:
     $let:
-      decision_worker_type:
-        $if: 'is_repo_trusted'
-        then: mobile-3-decision
-        else: mobile-1-decision
-
       track:
-        $if: 'is_repo_trusted'
+        $if: 'trust_level == 3'
         then: 'nightly'
         else: 'staging-nightly'
 
@@ -82,7 +77,7 @@ tasks:
           deadline: {$fromNow: '2 hours'}
           expires: ${expires_in}
           provisionerId: aws-provisioner-v1
-          workerType: ${decision_worker_type}
+          workerType: mobile-${trust_level}-decision
           priority: ${tasks_priority}
           requires: all-completed   # Must be explicit because of Chain of Trust
           retries: 5
@@ -106,6 +101,7 @@ tasks:
               SCHEDULER_ID: ${scheduler_id}
               TASK_ID: ${decision_task_id}
               TASKS_PRIORITY: ${tasks_priority}
+              TRUST_LEVEL: ${trust_level}
             features:
               taskclusterProxy: true
           extra:
@@ -169,7 +165,7 @@ tasks:
               $mergeDeep:
                 - {$eval: 'default_task_definition'}
                 - scopes:
-                    - $if: is_repo_trusted
+                    - $if: 'trust_level == 3'
                       then: assume:hook-id:project-mobile/fenix-nightly
                       else: assume:hook-id:project-mobile/fenix-nightly-staging
                   routes:

automation/taskcluster/decision_task.py

@@ -37,6 +37,7 @@ BUILDER = TaskBuilder(
     scheduler_id=os.environ.get('SCHEDULER_ID', 'taskcluster-github'),
     tasks_priority=os.environ.get('TASKS_PRIORITY'),
     date_string=os.environ.get('BUILD_DATE'),
+    trust_level=os.environ.get('TRUST_LEVEL'),
 )
 
 

automation/taskcluster/lib/tasks.py

@@ -19,7 +19,7 @@ _OFFICIAL_REPO_URL = 'https://github.com/mozilla-mobile/fenix'
 class TaskBuilder(object):
     def __init__(
         self, task_id, repo_url, branch, commit, owner, source, scheduler_id, date_string,
-        tasks_priority='lowest'
+        tasks_priority='lowest', trust_level=1
     ):
         self.task_id = task_id
         self.repo_url = repo_url
@@ -30,6 +30,7 @@ class TaskBuilder(object):
         self.scheduler_id = scheduler_id
         self.tasks_priority = tasks_priority
         self.date = arrow.get(date_string)
+        self.trust_level = trust_level
 
     def craft_assemble_release_task(self, apks, is_staging=False):
         artifacts = {
@@ -82,7 +83,6 @@ class TaskBuilder(object):
             ],
             artifacts=artifacts,
             routes=routes,
-            is_staging=is_staging,
             treeherder={
                 'jobKind': 'build',
                 'machine': {
@@ -231,7 +231,7 @@ class TaskBuilder(object):
 
     def _craft_build_ish_task(
         self, name, description, command, dependencies=None, artifacts=None, scopes=None,
-        routes=None, is_staging=True, treeherder=None
+        routes=None, treeherder=None
     ):
         dependencies = [] if dependencies is None else dependencies
         artifacts = {} if artifacts is None else artifacts
@@ -269,7 +269,7 @@ class TaskBuilder(object):
         }
 
         return self._craft_default_task_definition(
-            'mobile-1-b-fenix' if is_staging else 'mobile-3-b-fenix',
+            'mobile-{}-b-fenix'.format(self.trust_level),
             'aws-provisioner-v1',
             dependencies,
             routes,