Taskcluster

USERS

▶ [MAJOR] [7126](https://github.com/taskcluster/taskcluster/issues/7126)
d2g no longer includes `--privileged` in all generated `podman run` commands. This was previously introduced as a breaking change in release 61.0.0 (PR 6891) but has broken some tasks. The original reason for adding it (6890) seems to no longer apply, as the original bug report is no longer reproducible. This therefore reverts the d2g treatment of the --privileged flag to how it was before release 61.0.0.

▶ [minor] [7085](https://github.com/taskcluster/taskcluster/issues/7085)
Worker-manager publishes more events to new exchanges in Pulse:
- `worker-pool-error`
- `worker-requested`
- `worker-running`
- `worker-stopped`

▶ [patch] [7120](https://github.com/taskcluster/taskcluster/issues/7120)
Removed memory, pid, and ulimits for d2g payloads.

DEVELOPERS

▶ [patch]
Updated azure test certificates.

OTHER

▶ Additional change not described here: [7095](https://github.com/taskcluster/taskcluster/issues/7095).

Automated Package Updates

<details>
<summary>20 Dependabot updates</summary>

* build(deps): bump the ui-node-deps group across 1 directory with 10 updates (b83e7dbe2)
* build(deps): bump markdown-it from 12.3.2 to 14.1.0 in /ui (99770261c)
* build(deps): bump react-codemirror2 from 7.3.0 to 8.0.0 in /ui (967f5f1fe)
* build(deps): bump the go-deps group with 7 updates (fdb61b7a4)
* build(deps): bump taskcluster from 65.1.0 to 66.0.0 in /taskcluster (15fe4fa58)
* build(deps): bump taskcluster-taskgraph in /taskcluster (e92ef7929)
* build(deps): bump ws from 8.5.0 to 8.17.1 in /workers/docker-worker (9604329d4)
* build(deps): bump the client-node-deps group across 1 directory with 3 updates (d614b4b68)
* build(deps): bump pug from 3.0.2 to 3.0.3 (f53a74456)
* build(deps): bump octokit/plugin-retry from 3.0.9 to 7.1.1 (6ff6da85c)
* build(deps-dev): bump testing-library/jest-dom in /ui (b5c00189f)
* build(deps): bump the node-deps group across 1 directory with 22 updates (0f93c1e59)
* build(deps-dev): bump the client-web-node-deps group across 1 directory with 2 updates (3ca58010d)
* build(deps): bump grpc/grpc-js from 1.9.8 to 1.10.10 (ef3a2daa7)
* build(deps): bump braces from 3.0.2 to 3.0.3 (f2386f545)
* build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /taskcluster (ad955c802)
* build(deps): bump braces from 3.0.2 to 3.0.3 in /clients/client (c918170cd)
* build(deps): bump braces from 3.0.2 to 3.0.3 in /workers/docker-worker (ae3cf638a)
* build(deps-dev): bump ws from 7.5.9 to 7.5.10 (6fea20c51)
* build(deps): bump taskcluster from 64.2.7 to 65.1.0 in /taskcluster (68fdee7ce)

</details>

USERS

▶ [MAJOR] [7082](https://github.com/taskcluster/taskcluster/issues/7082)
This change comprises three elements:

1. D2G now executes tasks under `docker` rather than `podman` if the Docker
Worker task has the `privileged` capability enabled. This should result in
fewer tasks failing due to differences in default behaviour between docker
and podman privileged containers.
2. D2G generated task scopes are now sorted.
3. A bug has been fixed where D2G was granting scopes to generated tasks
based on the declared capabilities of the Docker Worker task it was
converting, rather than deriving the target Generic Worker scopes solely
from the original Docker Worker task scopes. This allowed a task with
insufficient scopes under Docker Worker to gain elevated privileges under
Generic Worker.

USERS

▶ [patch] [7083](https://github.com/taskcluster/taskcluster/issues/7083)
Fixes query validation in pagination queries that were throwing `500 InternalServerError` instead of `400 InputError`

DEVELOPERS

▶ [minor] [7089](https://github.com/taskcluster/taskcluster/issues/7089)
Fixes an issue when cancelling a task didn't remove it from the pending queue.
This made worker-manager think there are more pending tasks than there actually were, and create more workers.

GENERAL

▶ [patch]
Upgrades to node v20.14.0 and go1.22.4 (SECURITY release).

DEPLOYERS

▶ [minor] [7035](https://github.com/taskcluster/taskcluster/issues/7035)
Helm chart allows conditional deployment of several resource types:
- Secret
- ConfigMap
- Ingress
- ServiceAccount

This might be useful in the deployments that use custom Ingress or manage secrets and configs externally.
Example usage: `helm template --values .. --set "skipResourceTypes[0]"=ingress --set "skipResourceTypes[0]"=secert .`

WORKER-DEPLOYERS

▶ [minor] [7076](https://github.com/taskcluster/taskcluster/issues/7076)
Worker Runner now uses IMDSv2 instead of IMDSv1 in EC2. IMDSv1 is being phased out by Amazon.

DEVELOPERS

▶ [patch] [7080](https://github.com/taskcluster/taskcluster/issues/7080)
Fixes github service issue during cancellation of the previous runs that were not created.
Response code was not checked properly which resulted in sending same error for each new build.

▶ [patch] [6668](https://github.com/taskcluster/taskcluster/issues/6668)
Fixes an issue to support yarn run for dev:start and dev:stop scripts

USERS

▶ [minor] [7070](https://github.com/taskcluster/taskcluster/issues/7070)
Generic Worker now sets the environment variable TASKCLUSTER_INSTANCE_TYPE in task commands to the instance type of the worker, if configured. This matches the (undocumented) behaviour of Docker Worker. D2G also passes this environment variable through to podman, to emulate Docker Worker's behaviour.

▶ [patch]
Fixes UI issue in worker view where error was shown despite worker being found.

▶ [patch] [7059](https://github.com/taskcluster/taskcluster/issues/7059)
D2G now includes `libvirt` OS group in generated Generic Worker task payloads that use Docker Worker KVM device.

▶ [patch] [6954](https://github.com/taskcluster/taskcluster/issues/6954)
Fixes an issue with github badges that timed out on non-existing branches.

▶ [patch]
Tasks using `notify.pulse.<topic>.on-<event>` routes now send out messages
using the specified topic. This means it's now possible to subscribe to
specific topics.

DEVELOPERS

▶ [minor] [5073](https://github.com/taskcluster/taskcluster/issues/5073)
Github service supports `issue_comment` events to trigger jobs through `/tasckluster param` comments in open Pull Requests.
`.taskcluster.yml` in default branch should allow this with `policy.allowComments: collaborators` value.
Tasks would be rendered with `tasks_for = "github-issue-comment"` and `event.taskcluster_comment = param`
This is an implementation of [RFC 168](https://github.com/taskcluster/taskcluster-rfcs/blob/main/rfcs/0168-Trigger-Tests-Based-on-PR-Comments.md)

▶ [patch] [6567](https://github.com/taskcluster/taskcluster/issues/6567)
`yarn generate` commands will attempt to run `pg_dump` inside the docker container if local binary is missing or its version is different from the server version.

Automated Package Updates

<details>
<summary>2 Dependabot updates</summary>

* build(deps): bump taskcluster-taskgraph (8daf19d4c)
* build(deps): bump the go-deps group with 4 updates (60ca4228f)

</details>

USERS

▶ [minor] [5967](https://github.com/taskcluster/taskcluster/issues/5967)
Allows Docker Worker payloads to be used on the `insecure` Generic Worker engine, translated by `d2g`.