Author Association Roles for Github PRs #173
Description
I was brainstorming alternative ways to solve the mobile org's contributor woes (other than RFC 168), and came up with this idea.
Github Pull Request events have an author_association field which can be one of COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MEMBER, NONE or OWNER. This means that TC GIthub can tell whether the PR is coming from a trusted source or not. TC Github can then assume a different role based on this fact. E.g, <repo>:pull-request if the PR is trusted, and <repo>:pull-request-untrusted if it is not. This logic would live somewhere around here.
If we want to preserve backwards compatibility, I think we'd need to create a new pullRequest policy (e.g mixed), and the above behaviour would only happen when it is used. If we don't care about preserving backwards compatibiliy, this could be the new behaviour of the public policy (though pulling this off feels like it would be hard).
The following should be considered out of scope for any potential RFCs here (though it may warrant a releng-rfc), but writing it out as an example of how this feature can be useful:
In ci-config we can grant sensitive scopes to the trusted role, and disallow them in the untrusted role. The last step is that projects will need to ensure they don't run any "sensitive" tasks for untrusted PRs (otherwise they'd get a scope expression failure). Since we pass the full Github event into .taskcluster.yml as context, this can be accomplished by creating a new "author_association" parameter, as well as a new target_tasks filter that uses it.
Once we have all of this, projects will be able to run "tasks" for PRs opened by the public, and sensitive tasks for PRs opened by collaborators.