Let generic-worker verify run-task/fetch-content integrity

jcristau · jcristau · commit d8e5a77e0f42 · 2025-04-03T10:23:39.000+02:00
The decision task knows the contents of these scripts so it can pass
their checksums to downstream tasks.
diff --git a/src/taskgraph/transforms/run/run_task.py b/src/taskgraph/transforms/run/run_task.py
@@ -7,6 +7,7 @@
 
 import dataclasses
 import os
+from pathlib import Path
 
 from voluptuous import Any, Optional, Required
 
@@ -25,6 +26,9 @@
     "powershell": ["powershell.exe", "-ExecutionPolicy", "Bypass"],
 }
 
+RUN_TASK_PATH = Path(__file__).parent.parent.parent / "run-task" / "run-task"
+FETCH_CONTENT_PATH = Path(__file__).parent.parent.parent / "run-task" / "fetch-content"
+
 run_task_schema = Schema(
     {
         Required("using"): "run-task",
@@ -169,10 +173,14 @@ def generic_worker_run_task(config, task, taskdesc):
     common_setup(config, task, taskdesc, command)
 
     worker.setdefault("mounts", [])
+    run_task_sha256 = hashlib.sha256(RUN_TASK_PATH.read_bytes()).hexdigest()
+    fetch_content_sha256 = hashlib.sha256(FETCH_CONTENT_PATH.read_bytes()).hexdigest()
     worker["mounts"].append(
         {
             "content": {
-                "url": script_url(config, "run-task"),
+                "taskId": {"task-reference": "<decision>"},
+                "artifact": "public/run-task",
+                "sha256": run_task_sha256,
             },
             "file": "./run-task",
         }
@@ -181,7 +189,9 @@ def generic_worker_run_task(config, task, taskdesc):
         worker["mounts"].append(
             {
                 "content": {
-                    "url": script_url(config, "fetch-content"),
+                    "taskId": {"task-reference": "<decision>"},
+                    "artifact": "public/fetch-content",
+                    "sha256": fetch_content_sha256,
                 },
                 "file": "./fetch-content",
             }
