Taskcluster

Automated Package Updates

<details>
<summary>8 Dependabot updates</summary>

* build(deps-dev): bump the client-web-node-deps group (ba901ba05)
* build(deps-dev): bump qlobber from 5.0.3 to 8.0.1 (28f2869aa)
* build(deps): bump follow-redirects from 1.15.4 to 1.15.6 in /ui (e39d63567)
* build(deps): bump follow-redirects from 1.15.4 to 1.15.6 (a7c78f0f8)
* build(deps): bump follow-redirects in /clients/client-web (103febfe8)
* build(deps): bump follow-redirects in /clients/client-test (d2b3288b2)
* build(deps): bump follow-redirects in /clients/client (c903e7de6)
* build(deps): bump taskcluster from 60.4.2 to 62.0.0 in /taskcluster (04df8aedd)

</details>

Automated Package Updates

<details>
<summary>5 Dependabot updates</summary>

* build(deps-dev): bump the deps group in /ui with 3 updates (319f484a6)
* build(deps): bump taskcluster from 59.2.0 to 60.3.2 in /taskcluster (cde9bb384)
* build(deps): bump the deps group in /taskcluster with 1 update (35e1bf6fb)
* build(deps): bump the deps group with 4 updates (87b4265a4)
* build(deps-dev): bump the deps group in /clients/client with 1 update (8944d3619)

</details>

DEPLOYERS

▶ [minor] [7508](https://github.com/taskcluster/taskcluster/issues/7508)
Removes Cloud Armor specific policy config from deployment templates as it was applied incorrectly.

WORKER-DEPLOYERS

▶ [MAJOR]
Generic Worker: feature `runTaskAsCurrentUser` (note: `Task` not `Tasks`) has been added to replace the previous global task config setting `runTasksAsCurrentUser` (which is no longer supported). Worker pools can elect to enable or disable the feature with boolean config setting `enableRunTaskAsCurrentUser`. Tasks with the feature enabled (`task.payload.features.runTaskAsCurrentUser = true`) require scope `generic-worker:run-task-as-current-user:<provisionerID>/<workerType>`.

This change was introduced in order that access to this privileged feature are guarded not only by worker config settings, but also by task scopes, and furthermore the feature must be explicitly requested, in order that tasks do not unintentionally inherit the feature by virtue of overgenerous scopes or unintentionally running on a pool with the feature enabled.

▶ [patch] [7462](https://github.com/taskcluster/taskcluster/issues/7462)
Generic Worker (D2G): prune docker images during garbage collection, if needed.

USERS

▶ [MAJOR]
The interactive feature will now drop users in the task container instead of the host

▶ [minor] [7506](https://github.com/taskcluster/taskcluster/issues/7506)
Generic Worker Chain Of Trust feature now allows tasks to inject additional
data into `public/chain-of-trust.json`. Tasks wishing to add additional fields
should write them as json to the file `chain-of-trust-additional-data.json` in
the task directory. In this initial release, there are no provisions to
customise the name or path of the file. The file contents will be merged with
the default chain of trust certificate, with the default field values taking
precedence over any provided in `chain-of-trust-additional-data.json`. If the
file is not created by the task, no merging will take place, and the feature
will operate as before.

▶ [minor]
Set TASK_WORKDIR environment variable for generic-worker tasks.

▶ [patch]
Fixed the `--completed` flag for `taskcluster group list` so it actually works instead of returning an empty list all the time