From f038dd059a386536b91d1ef7ee5d7d2492007383 Mon Sep 17 00:00:00 2001 From: James Graham Date: Mon, 27 Jun 2022 20:17:22 +0000 Subject: [PATCH] Bug 1776649 - Don't require webdriver or geckodriver crates to be audited, , bholley r=webdriver-reviewers,supply-chain-reviewers,bholley,whimboo This requirement meant that we had to publish the crates on crates.io before they reached autoland. This didn't work well for the geckodriver release process, since the binary releases are built on mozilla-central, and needing to pre-upload the crates made it impossible to guarantee that the binary release matches the uploaded version. Instead, add a step to the release docs to update this information. Differential Revision: https://phabricator.services.mozilla.com/D150361 --- supply-chain/config.toml | 8 ++++---- testing/geckodriver/doc/Releasing.md | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index bb3dd733e883..b1089e9d9243 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -34,9 +34,9 @@ audit-as-crates-io = true notes = "wgpu-hal pins this crate." [policy.geckodriver] -audit-as-crates-io = true +audit-as-crates-io = false criteria = "safe-to-run" -notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem. It's also used only for automation, so its subtree can be safe-to-run." +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." [policy.gkrust-gtest] criteria = "safe-to-run" @@ -133,9 +133,9 @@ audit-as-crates-io = false notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." [policy.webdriver] -audit-as-crates-io = true +audit-as-crates-io = false criteria = "safe-to-run" -notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem. It's also used only for automation, so its subtree can be safe-to-run." +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." [policy.wgpu] audit-as-crates-io = true diff --git a/testing/geckodriver/doc/Releasing.md b/testing/geckodriver/doc/Releasing.md index 76aff5118064..ee82764e1d89 100644 --- a/testing/geckodriver/doc/Releasing.md +++ b/testing/geckodriver/doc/Releasing.md @@ -147,6 +147,13 @@ and run the following command to publish the crate: Note that if a crate has an in-tree dependency make sure to first change the dependency information. +We also publish audit information for the crates, and that must be +updated for each release. To do that run: + + % cargo vet certify + +where `` is the version of the crate that was published. + ## Export to GitHub The canonical GitHub repository is -- 2.11.4.GIT