Taskcluster

ADMINS

▶ [minor]
Allows the ability to attach a Cloud Armor policy to a BackendConfig and to use
that BackendConfig in the ingress configuration. (OPST-1755)

USERS

▶ [patch]
Web-Server: fixes missing callback function in passport req.logout.

USERS

▶ [minor] [7404](https://github.com/taskcluster/taskcluster/issues/7404)
Re-apply the patch to fix docker cache issues and fix the issues when using
podman as the container engine.

DEVELOPERS

▶ [minor]
Adding type checks with jsdoc and typescript.

Automated Package Updates

<details>
<summary>5 Dependabot updates</summary>

* build(deps): bump taskcluster from 75.0.0 to 77.0.0 in /taskcluster (1cb203ecc)
* build(deps-dev): bump the client-web-node-deps group (b73bd5464)
* build(deps): bump jinja2 from 3.1.4 to 3.1.5 in /taskcluster (d2003e3f8)
* build(deps): bump the go-deps group with 2 updates (3d8bd1bbb)
* build(deps): bump debug in /clients/client in the client-node-deps group (a6146f51c)

</details>

WORKER-DEPLOYERS

▶ [MAJOR]
Generic Worker: adds worker config feature toggles to quickly/easily enable/disable features across entire worker pools. All features are enabled, by default.

Generic Worker: adds `d2gConfig` worker config to configure D2G translations. `enableD2G` and `containerEngine` config settings have been moved into this new config. The following is the new structure (with default values shown):

json
{
...
"d2gConfig": {
"enableD2G": false,
"allowChainOfTrust": true,
"allowDisableSeccomp": true,
"allowHostSharedMemory": true,
"allowInteractive": true,
"allowKVM": true,
"allowLoopbackAudio": true,
"allowLoopbackVideo": true,
"allowPrivileged": true,
"allowPtrace": true,
"allowTaskclusterProxy": true,
"containerEngine": "docker"
},
...
}


Tasks using disabled features will be resolved as `exception/malformed-payload`.

▶ [minor] [7390](https://github.com/taskcluster/taskcluster/issues/7390)
Generic Worker: adds `d2gConfig.allowGPUs` (default: `false`) and `d2gConfig.gpus` (default: `all`) worker config to provide NVIDIA GPU access to the running container for d2g-translated task payloads.

The translation will add the gpus flag: `--gpus <d2gConfig.gpus>` to the `docker run ...` command. Read more about the usage [here](https://docs.docker.com/reference/cli/docker/container/run/#gpus).

▶ [minor]
Generic Worker: adds `disableNativePayloads` (default: `false`) worker config option (`linux` only) to require all task payloads to be Docker Worker payloads. If this option is set to `true`, the task log will no longer contain the translated task definition and the warning about using Docker Worker payloads.

Tasks submitted with native payloads will be resolved as `exception/malformed-payload`.

Generic Worker: adds `d2gConfig.logTranslation` (default: `true`) worker config to control whether the D2G-translated task definition is logged to the task logs.

Automated Package Updates

<details>
<summary>2 Dependabot updates</summary>

* build(deps): bump nanoid from 3.3.6 to 3.3.8 (e451def2d)
* build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 (e2f947058)

</details>

GENERAL

▶ [patch]
Upgrades to Node.js v22.12.0, go v1.23.4, and yarn v4.5.3.

USERS

▶ [MAJOR] [3823](https://github.com/taskcluster/taskcluster/issues/3823)
Add authentication to websockets at the time of subscribing to pulse messages

This introduces new scope `web:read-pulse` that needs to be added to the existing `anonymous` role
in order to keep Pulse subscriptions public.

▶ [patch] [4086](https://github.com/taskcluster/taskcluster/issues/4086)
`queue.getArtifact()` checks if artifact is expired and returns `ResourceExpired - 410` in such cases

Automated Package Updates

<details>
<summary>1 Dependabot updates</summary>

* build(deps): bump the node-deps group across 1 directory with 4 updates (2edd60b1a)

</details>

WORKER-DEPLOYERS

▶ [patch] [7404](https://github.com/taskcluster/taskcluster/issues/7404)
Generic Worker: Reverting 61b985dd009210a204da3bb354eab2037d132bef due to issue 7404 with cache permissions.

Automated Package Updates

<details>
<summary>6 Dependabot updates</summary>

* build(deps): bump the node-deps group across 1 directory with 17 updates (8607b9d44)
* build(deps): bump taskcluster from 74.0.0 to 75.0.0 in /taskcluster (3565e2b7e)
* build(deps): bump taskcluster-taskgraph (94375c104)
* build(deps): bump the go-deps group with 5 updates (b724509a7)
* build(deps-dev): bump the client-web-node-deps group (5a81717fa)
* build(deps): bump the client-node-deps group (76501c53a)

</details>

USERS

▶ [MAJOR] [7128](https://github.com/taskcluster/taskcluster/issues/7128)
Generic Worker now only changes file ownership of files inside caches, if the
file was owned by the previous task user. Previously Generic Worker changed the
ownership of all files inside a cache to be the new task user, which caused
problems if files were modified inside containers using different subuids.

▶ [patch] [7386](https://github.com/taskcluster/taskcluster/issues/7386)
Fixes UI issue where "No WorkerPool exists" error was shown in pending/claimed tasks list.

Automated Package Updates

<details>
<summary>6 Dependabot updates</summary>

* build(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /clients/client (8f1ae7081)
* build(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui/test/e2e (ba80be7ae)
* build(deps): bump cross-spawn from 6.0.5 to 6.0.6 in /ui (b61b37312)
* build(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /clients/client-web (34e12e170)
* build(deps): bump cross-spawn from 6.0.5 to 6.0.6 (1204a00e5)
* build(deps): bump eslint/plugin-kit in /clients/client-web (df1f054b9)

</details>