Let generic-worker verify run-task/fetch-content integrity (#666)

jcristau · web-flow · commit f85ff32682d4 · 2025-04-10T18:02:26.000+02:00
The decision task knows the contents of these scripts so it can pass
their checksums to downstream tasks.
diff --git a/src/taskgraph/transforms/run/run_task.py b/src/taskgraph/transforms/run/run_task.py
@@ -6,7 +6,9 @@
 """
 
 import dataclasses
+import hashlib
 import os
+from pathlib import Path
 
 from voluptuous import Any, Optional, Required
 
@@ -25,6 +27,9 @@
     "powershell": ["powershell.exe", "-ExecutionPolicy", "Bypass"],
 }
 
+RUN_TASK_PATH = Path(__file__).parent.parent.parent / "run-task" / "run-task"
+FETCH_CONTENT_PATH = Path(__file__).parent.parent.parent / "run-task" / "fetch-content"
+
 run_task_schema = Schema(
     {
         Required("using"): "run-task",
@@ -169,10 +174,14 @@ def generic_worker_run_task(config, task, taskdesc):
     common_setup(config, task, taskdesc, command)
 
     worker.setdefault("mounts", [])
+    run_task_sha256 = hashlib.sha256(RUN_TASK_PATH.read_bytes()).hexdigest()
+    fetch_content_sha256 = hashlib.sha256(FETCH_CONTENT_PATH.read_bytes()).hexdigest()
     worker["mounts"].append(
         {
             "content": {
-                "url": script_url(config, "run-task"),
+                "taskId": {"task-reference": "<decision>"},
+                "artifact": "public/run-task",
+                "sha256": run_task_sha256,
             },
             "file": "./run-task",
         }
@@ -181,7 +190,9 @@ def generic_worker_run_task(config, task, taskdesc):
         worker["mounts"].append(
             {
                 "content": {
-                    "url": script_url(config, "fetch-content"),
+                    "taskId": {"task-reference": "<decision>"},
+                    "artifact": "public/fetch-content",
+                    "sha256": fetch_content_sha256,
                 },
                 "file": "./fetch-content",
             }
diff --git a/test/test_transforms_run_run_task.py b/test/test_transforms_run_run_task.py
@@ -121,7 +121,9 @@ def assert_generic_worker(task):
                 {"cache-name": "checkouts", "directory": "build"},
                 {
                     "content": {
-                        "url": "https://tc-tests.localhost/api/queue/v1/task/<TASK_ID>/artifacts/public/run-task"
+                        "artifact": "public/run-task",
+                        "sha256": "581ca6876fac84fa2dd8e8c2c18677d790890e9675229fd34c912c937ae19fae",
+                        "taskId": {"task-reference": "<decision>"},
                     },
                     "file": "./run-task",
                 },
