Taskcluster

WORKER-DEPLOYERS

▶ [patch] [7218](https://github.com/taskcluster/taskcluster/issues/7218)
Generic Worker Multiuser engine on Linux, macOS and FreeBSD now waits for the
required task user to be logged in to the console session, rather than waiting
for any user to be logged in, and then checking whether it is the anticipated
user. This subtle change in behaviour means that temporarily a different user
may be (or appear to be) logged into the console session without causing
Generic Worker to panic. It is hoped that this will reduce intermittent issues
where a different user appears to be logged in (such as gdm user on Linux)
since it is suspected that this might just be a fleeting login that passes due
to some race condition in the start up of the Gnome Desktop.

If this doesn't resolve the issue, and under certain circumstances, the gdm
user instead remains logged in, i.e. it is not a fleeting login, we may need to
restore the previous behaviour, since otherwise when the issue does occur, it
would take a full 5 minutes before timing out, adding to costs unnecessarily.
However, we hope that that will not be the case.

WORKER-DEPLOYERS

▶ [patch] [7012](https://github.com/taskcluster/taskcluster/issues/7012)
Generic Worker retains the interactive username it determines inside WaitForLoginCompletion (by returning it) to avoid needing to re-determine it later. The intention is to reduce intermittent errors caused by the underlying method to determine the interactive username itself intermittently failing. So long as the interactive username can be determined just once during the specidied timeout period, the value can be retained and used when required.

GENERAL

▶ [patch] [7172](https://github.com/taskcluster/taskcluster/issues/7172)
Fixes UI js error on dashboard on some deployments

USERS

▶ [patch] [6304](https://github.com/taskcluster/taskcluster/issues/6304)
GitHub service no longer skips CI based on PR description. It will only skip CI based on the PR title or the commit message, [as GitHub does](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs).

Automated Package Updates

<details>
<summary>7 Dependabot updates</summary>

* build(deps-dev): bump the client-web-node-deps group across 1 directory with 3 updates (74c56a294)
* build(deps): bump the client-node-deps group across 1 directory with 4 updates (2f9e3602b)
* build(deps): bump the ui-node-deps group across 1 directory with 7 updates (e21bc7c47)
* build(deps): bump taskcluster-taskgraph in /taskcluster (65efa87a0)
* build(deps): bump pyyaml (74e680c54)
* build(deps): bump the go-deps group across 1 directory with 7 updates (c02a2eec9)
* build(deps): bump elliptic from 6.5.4 to 6.5.7 in /clients/client-web (00e31a477)

</details>

GENERAL

▶ [patch] [7202](https://github.com/taskcluster/taskcluster/issues/7202)
Fixes `github.renderTaskclusterYml` rendering error for the payloads including invalid params

▶ [patch] [7195](https://github.com/taskcluster/taskcluster/issues/7195)
Fixes worker-manager intermittent test failure

▶ [patch] [bug 1907075](http://bugzil.la/1907075)
Web server graphql endpoints return 413 instead of 500 error.

▶ [patch]
Upgrades to Node.js v20.16.0, go v1.23.0, and yarn v4.4.0.

DEPLOYERS

▶ [MAJOR] [7036](https://github.com/taskcluster/taskcluster/issues/7036)
Secrets are being introduced in services configuration. All sensitive values that are marked as secrets would be deployed in kubernetes as Secrets (as they used to be).
All non-sensitive values would be stored inside ConfigMap resources.
Deployments and CronJobs would fetch values from both secrets and configuration maps.

▶ [patch] [7167](https://github.com/taskcluster/taskcluster/issues/7167)
Change the polling period for EC2 spot instance interruption notices to 5 seconds, as recommended by AWS documentation.

WORKER-DEPLOYERS

▶ [MAJOR] [7073](https://github.com/taskcluster/taskcluster/issues/7073)
Generic Worker now logs to standard error instead of standard out. This is a bug fix, it seems it has always been logging to standard out.

▶ [minor]
Change `adduser` usage to `useradd`

`adduser` is a debian specific wrapper around `useradd` and friends. By
changing to `useradd`, we allow workers to be deployed on non debian
derivative distributions.

Generic Worker multiuser engine on Linux/FreeBSD now depends on:

* /usr/bin/chfn
* /usr/sbin/useradd
* /usr/sbin/userdel

and no longer depends on:

* /usr/sbin/adduser
* /usr/sbin/deluser

USERS

▶ [minor] [7145](https://github.com/taskcluster/taskcluster/issues/7145)
Fixes inconsistency in the internal queue implementation that could lead to tasks being visible as pending in the UI
after they were resolved with `deadline-exceeded`.

▶ [patch] [7128](https://github.com/taskcluster/taskcluster/issues/7128)
Generic Worker / D2G partial bug fix: support has been improved for running Docker Worker tasks with caches under Generic Worker. Previously, caches from a Docker Worker task running under Generic Worker containing files owned by a user other than root would not be owned by the same (container) user when the cache was mounted in a future task. D2G now consistently maps container uids and gids to host subuids and subgids (when caches are used) in order that cache file ownership, as seen from inside the container, is maintained across task runs. However, this fix does not apply when the privileged capability is enabled in the Docker Worker payload, since privileged tasks are executed under docker rather than podman. This fix only applies when podman is used.

▶ [patch] [7128](https://github.com/taskcluster/taskcluster/issues/7128)
Generic Worker multiuser engine on Linux now uses `/usr/sbin/deluser --remove-home` instead of `/usr/sbin/deluser --remove-all-files` when deleting previous task users. This ensures that caches that may still be owned (in whole or in part) by the task user are not deleted.

Automated Package Updates

<details>
<summary>5 Dependabot updates</summary>

* build(deps): bump elliptic from 6.5.4 to 6.5.7 in /ui (d3d895095)
* build(deps): bump braces from 3.0.2 to 3.0.3 in /clients/client-test (7fc112e28)
* build(deps): bump aiohttp from 3.9.5 to 3.10.2 in /taskcluster (84db9103c)
* build(deps): bump dependabot/fetch-metadata in the gh-actions-deps group (f57c0aa4d)
* build(deps): bump the node-deps group with 18 updates (5af31a687)

</details>

WORKER-DEPLOYERS

▶ [patch] [7073](https://github.com/taskcluster/taskcluster/issues/7073)
CLI tools and generic-worker now returns short-version string if executed with `--short-version` argument:

- `generic-worker --short-version`
- `livelog --short-version`
- `websocktunnel --short-version`
- `start-worker --short-version`
- `taskcluster version --short-version`

▶ [patch] [7129](https://github.com/taskcluster/taskcluster/issues/7129)
Worker-manager would avoid sending emails with duplicate error messages, as long as error message and information are the same.

USERS

▶ [minor] [7139](https://github.com/taskcluster/taskcluster/issues/7139)
Generic Worker now sets environment variable `TASK_GROUP_ID` to the `taskGroupId` of the currently running task.

▶ [patch] [7132](https://github.com/taskcluster/taskcluster/issues/7132)
Bug fix: Generic Worker multiuser on Linux/macOS was previously executing task
commands as processes that did not include the supplementary groups of the task
user, only its primary group. Until upgrading from Ubuntu 22.04 to Ubuntu 24.04
task users did not have supplementary groups, so this had no negative
consequences. However, `/usr/sbin/adduser` on Ubuntu 24.04 by default gives
newly generated users the supplementary group `users`, which introduced a
discrepency between the groups that the task command process was in, and the
groups that the user was in. Generic Worker multiuser on Linux and macOS now
ensures that the launched processes of task commands are given not only the
primary group of the task user, but also any supplementary groups that it has.

Automated Package Updates

<details>
<summary>3 Dependabot updates</summary>

* build(deps): bump the ui-node-deps group across 1 directory with 3 updates (b55fb4d50)
* build(deps-dev): bump chai-as-promised in /clients/client-web (0809b9ea8)
* build(deps): bump certifi from 2023.7.22 to 2024.7.4 in /taskcluster (c0fa41ae2)

</details>

USERS

▶ [patch] [7085](https://github.com/taskcluster/taskcluster/issues/7085)
Adds `timestamp` to the worker related pulse events that were added in 7085.

DEVELOPERS

▶ [patch]