build(deps): bump taskcluster from 37.5.1 to 38.0.1 in /tools

[dependabot]

Bumps taskcluster from 37.5.1 to 38.0.1.

Release notes

Sourced from taskcluster's releases.

v38.0.1

DEVELOPERS

▶ [patch] This version fixes an error in docker-worker's release script that caused the 38.0.0 release to fail.

OTHER

▶ Additional change not described here: #3738.

v38.0.0

This release was slightly broken. Use v38.0.1 patch release artifacts instead.

GENERAL

▶ [MAJOR] #3615 RFC 165 has been implemented, allowing for greater administrator control over "public" endpoints. Previously these were guarded by no scopes and could be accessed by anyone with no way to limit this. In this release all una uthenticated API calls are now granted the scope assume:anonymous. Additionally, most previously unprotected endpoints are now guarded by at least one scope, to enable the following:

• To maintain current behavior, some scopes will need to be granted to the anonymousrole. Refer to `the anonymous role section in the docs.
• To entirely lock down the cluster from anonymous access, do not grant any scopes to role anonymous
• Pick and choose specific "public" endpoints to make available to anonymous requests

Performance testing results (refer to taskcluster/taskcluster#3698 for more details):

• Auth service CPU has seen an increase of 0%-15%
• Auth service memory has seen no increase

WORKER-DEPLOYERS

▶ [MAJOR] #3015 Generic-worker no longer supports the --configure-for-{aws,gcp,azure} options. Instead, the expectation is that generic-worker will be started by worker-runner. While it remains possible to run generic-worker without worker-runner in a "static" configuration, cloud-based deployments using worker-manager now r equire worker-runner.

USERS

▶ [patch] #3791 The shell client (the taskcluster command) now correctly handles the case where no credentials are provided. In previous versions, if used to call a method which required credentials, this would result in an error: Bad Request: Bad attribute value: id. With the inclusion of [RFC#165](https://github.com/task cluster/taskcluster-rfcs/blob/main/rfcs/0165-Anonymous-scopes.md) in this release, this error would occur when calling any method. The short story is, if you see such errors, upgrade the shell client.

▶ [patch] #3463 This release fixes a bug that may occur when a new task is quickly inserted twice into the index service. When the bug is triggered, one of the insert calls would fail with a server error. With this fix, the UNIQUE_VIOLATION error is caught, and the previously failed insert will update the task if the rank is higher. This bug was first seen in v37.3.0

▶ [patch] #3767 This version adjusts the Python client requirements to avoid aiohttp==3.7.0, which has a serious bug preventing use of HTTPS.

DEVELOPERS

▶ [patch] #3502

... (truncated)

Changelog

Sourced from taskcluster's changelog.

v38.0.1

DEVELOPERS

▶ [patch] This version fixes an error in docker-worker's release script that caused the 38.0.0 release to fail.

OTHER

▶ Additional change not described here: #3738.

v38.0.0

GENERAL

▶ [MAJOR] #3615 RFC 165 has been implemented, allowing for greater administrator control over "public" endpoints. Previously these were guarded by no scopes and could be accessed by anyone with no way to limit this. In this release all unauthenticated API calls are now granted the scope assume:anonymous. Additionally, most previously unprotected endpoints are now guarded by at least one scope, to enable the following:

• To maintain current behavior, some scopes will need to be granted to the anonymousrole. Refer to `the anonymous role section in the docs.
• To entirely lock down the cluster from anonymous access, do not grant any scopes to role anonymous
• Pick and choose specific "public" endpoints to make available to anonymous requests

Performance testing results (refer to taskcluster/taskcluster#3698 for more details):

• Auth service CPU has seen an increase of 0%-15%
• Auth service memory has seen no increase

WORKER-DEPLOYERS

▶ [MAJOR] #3015 Generic-worker no longer supports the --configure-for-{aws,gcp,azure} options. Instead, the expectation is that generic-worker will be started by worker-runner. While it remains possible to run generic-worker without worker-runner in a "static" configuration, cloud-based deployments using worker-manager now require worker-runner.

USERS

▶ [patch] #3791 The shell client (the taskcluster command) now correctly handles the case where no credentials are provided. In previous versions, if used to call a method which required credentials, this would result in an error: Bad Request: Bad attribute value: id. With the inclusion of RFC#165 in this release, this error would occur when calling any method. The short story is, if you see such errors, upgrade the shell client.

▶ [patch] #3463 This release fixes a bug that may occur when a new task is quickly inserted twice into the index service. When the bug is triggered, one of the insert calls would fail with a server error. With this fix, the UNIQUE_VIOLATION error is caught, and the previously failed insert will update the task if the rank is higher. This bug was first seen in v37.3.0

▶ [patch] #3767 This version adjusts the Python client requirements to avoid aiohttp==3.7.0, which has a serious bug preventing use of HTTPS.

DEVELOPERS

▶ [patch] #3502

... (truncated)

Commits

• b43fdc4 v38.0.1
• ee2ca7c Merge pull request #3818 from djmitche/fix-docker-release
• 2903dac fix docker-worker's release.sh
• 4f19d75 Merge pull request #3814 from renovate-bot/renovate/karma-firefox-launcher-2.x
• b0cb889 Merge pull request #3810 from djmitche/issue3738
• b49cb60 v38.0.0
• ae11dcf Merge pull request #3813 from renovate-bot/renovate/hawk-8.x
• 3869e41 Merge pull request #3811 from djmitche/issue3793
• 1b9c6f9 Update dependency karma-firefox-launcher to v2
• 1aafea8 Use a signed URL to download public/actions.json
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)