actions: fix scope check on mercurial (bug 1965754)

The action task's scopes are tied to the head repo.

Author: jcristau

src/taskgraph/actions/registry.py

@@ -145,18 +145,18 @@ def register_callback_action(
     def register_callback(cb):
         assert isinstance(name, str), "name must be a string"
         assert isinstance(order, int), "order must be an integer"
-        assert callable(schema) or is_json(schema), (
-            "schema must be a JSON compatible object"
-        )
+        assert callable(schema) or is_json(
+            schema
+        ), "schema must be a JSON compatible object"
         assert isinstance(cb, FunctionType), "callback must be a function"
         # Allow for json-e > 25 chars in the symbol.
         if "$" not in symbol:
             assert 1 <= len(symbol) <= 25, "symbol must be between 1 and 25 characters"
         assert isinstance(symbol, str), "symbol must be a string"
 
-        assert not mem["registered"], (
-            "register_callback_action must be used as decorator"
-        )
+        assert not mem[
+            "registered"
+        ], "register_callback_action must be used as decorator"
         assert cb_name not in callbacks, f"callback name {cb_name} is not unique"
 
         def action_builder(parameters, graph_config, decision_task_id):
@@ -300,14 +300,12 @@ def sanity_check_task_scope(callback, parameters, graph_config):
     else:
         raise ValueError(f"No action with cb_name {callback}")
 
-    raw_url = parameters["base_repository"]
-    parsed_url = parse(raw_url)
+    parsed_base_url = parse(parameters["base_repository"])
+    parsed_head_url = parse(parameters["head_repository"])
     action_scope = (
-        f"assume:{parsed_url.taskcluster_role_prefix}:action:{action.permission}"
-    )
-    pr_action_scope = (
-        f"assume:{parsed_url.taskcluster_role_prefix}:pr-action:{action.permission}"
+        f"assume:{parsed_head_url.taskcluster_role_prefix}:action:{action.permission}"
     )
+    pr_action_scope = f"assume:{parsed_base_url.taskcluster_role_prefix}:pr-action:{action.permission}"
 
     # the scope should appear literally; no need for a satisfaction check. The use of
     # get_current_scopes here calls the auth service through the Taskcluster Proxy, giving