mozilla-releng / balrog

90%

main: 90%

LAST BUILD ON BRANCH fix-require-signoff-when-modif

branch: fix-require-signoff-when-modif

CHANGE BRANCH

x

Reset

• fix-require-signoff-when-modif
• 20250501
• HEAD
• SVCSE-3344
• ahal/push-klkkzvmwunko
• ahal/push-lnpkkyxvuquk
• ahal/push-lsunytmtzqnv
• ahal/push-mklnsqmuksnv
• ahal/push-nztpozkmxqum
• ahal/push-omrtyztkomrn
• ahal/push-pvmxttzqrzrm
• ahal/push-pwpkutknwovm
• ahal/push-qxoxonntoooy
• ahal/push-roolztnzrown
• ahal/push-rwonorwzozkv
• ahal/push-sqzmozqnullt
• ahal/push-uksmmokkqkvy
• ahal/push-ulksryrykpvo
• ahal/push-uoluqmrlrplt
• ahal/push-utxxklpzvtpn
• ahal/push-zmlxunxllrrs
• ahal/wxrwlkoxuovy
• alembic
• app-factory
• app.testing
• auth0
• auth0-bump
• axios-bump
• badinputs-minus-one
• batch-user
• better-force-validation
• better-uwsgi-config
• biome
• bug1934516
• bug1995275
• bug1998957
• bug2001951
• bug2014809
• bump
• bump-3.117
• bump-3.65
• bump-3.66
• bump-3.73
• bump-3.74
• bump-3.83
• bump-3.96
• bump-3.98
• bump-399
• bump-deps
• bump-frontend-deps
• bump-pydeps
• bump-taskgraph
• bump-v3.105
• bump-v3.106
• bump-v3.72
• bump-v3.79
• bump-version
• bump-version-for-next-release
• bumps
• bumubumubumu
• change-case-update
• chore-version-bump-3.115
• chore-version-bump-3.116
• ciscotest-staging
• cleanup
• client-out-of-workspace
• codemirror-react17
• codeowners
• compose
• compose-links
• connexion3
• cors-fix
• css-loader
• decision-v12.1.0
• dedup-dockerfiles
• dependabot
• dependabot/npm_and_yarn/ui/axios-0.30.0
• dependabot/npm_and_yarn/ui/axios-1.11.0
• dependabot/npm_and_yarn/ui/axios-1.12.0
• dependabot/npm_and_yarn/ui/axios-1.7.9
• dependabot/npm_and_yarn/ui/axios-1.8.1
• dependabot/npm_and_yarn/ui/axios-1.8.2
• dependabot/npm_and_yarn/ui/axios-1.8.3
• dependabot/npm_and_yarn/ui/axios-1.8.4
• dependabot/npm_and_yarn/ui/babel/core-7.26.10
• dependabot/npm_and_yarn/ui/babel/core-7.26.7
• dependabot/npm_and_yarn/ui/babel/core-7.26.8
• dependabot/npm_and_yarn/ui/babel/core-7.26.9
• dependabot/npm_and_yarn/ui/babel/preset-env-7.26.7
• dependabot/npm_and_yarn/ui/babel/preset-env-7.26.8
• dependabot/npm_and_yarn/ui/babel/preset-env-7.26.9
• dependabot/npm_and_yarn/ui/babel/preset-react-7.26.3
• dependabot/npm_and_yarn/ui/babel/runtime-7.26.10
• dependabot/npm_and_yarn/ui/deps-27c316fb00
• dependabot/npm_and_yarn/ui/deps-2eb76f7ce8
• dependabot/npm_and_yarn/ui/deps-4a5c1193a4
• dependabot/npm_and_yarn/ui/deps-5287079acf
• dependabot/npm_and_yarn/ui/deps-841103860b
• dependabot/npm_and_yarn/ui/deps-a9c67bf045
• dependabot/npm_and_yarn/ui/deps-ca98a7f723
• dependabot/npm_and_yarn/ui/deps-e3dc5e1b81
• dependabot/npm_and_yarn/ui/deps-eaa1054ea9
• dependabot/npm_and_yarn/ui/deps-fdb5fc8b59
• dependabot/npm_and_yarn/ui/diff-8.0.3
• dependabot/npm_and_yarn/ui/dotenv-16.4.7
• dependabot/npm_and_yarn/ui/dotenv-16.5.0
• dependabot/npm_and_yarn/ui/dotenv-cli-8.0.0
• dependabot/npm_and_yarn/ui/downshift-9.0.9
• dependabot/npm_and_yarn/ui/elliptic-6.6.1
• dependabot/npm_and_yarn/ui/eslint-config-prettier-10.0.1
• dependabot/npm_and_yarn/ui/eslint-config-prettier-10.0.2
• dependabot/npm_and_yarn/ui/eslint-config-prettier-10.1.1
• dependabot/npm_and_yarn/ui/eslint-config-prettier-10.1.2
• dependabot/npm_and_yarn/ui/eslint-plugin-jest-28.11.0
• dependabot/npm_and_yarn/ui/eslint-plugin-jest-28.12.0
• dependabot/npm_and_yarn/ui/eslint-plugin-react-7.37.4
• dependabot/npm_and_yarn/ui/js-yaml-3.14.2
• dependabot/npm_and_yarn/ui/lodash-4.17.23
• dependabot/npm_and_yarn/ui/node-forge-1.3.2
• dependabot/npm_and_yarn/ui/pbkdf2-3.1.3
• dependabot/npm_and_yarn/ui/prettier-3.4.2
• dependabot/npm_and_yarn/ui/prettier-3.5.0
• dependabot/npm_and_yarn/ui/prettier-3.5.1
• dependabot/npm_and_yarn/ui/prettier-3.5.2
• dependabot/npm_and_yarn/ui/prettier-3.5.3
• dependabot/npm_and_yarn/ui/qs-6.14.0
• dependabot/npm_and_yarn/ui/qs-6.14.1
• dependabot/npm_and_yarn/ui/react-codemirror2-8.0.1
• dependabot/npm_and_yarn/ui/react-diff-view-3.3.1
• dependabot/npm_and_yarn/ui/react-number-format-5.4.3
• dependabot/npm_and_yarn/ui/react-number-format-5.4.4
• dependabot/npm_and_yarn/ui/react-router-7.12.0
• dependabot/npm_and_yarn/ui/react-router-dom-6.28.2
• dependabot/npm_and_yarn/ui/react-router-dom-6.29.0
• dependabot/npm_and_yarn/ui/react-router-dom-6.30.0
• dependabot/npm_and_yarn/ui/typescript-5.7.3
• dependabot/npm_and_yarn/ui/typescript-5.8.2
• dependabot/npm_and_yarn/ui/webpack-dev-server-5.2.0
• dependabot/npm_and_yarn/ui/webpack-dev-server-5.2.1
• dependabot/pip/agent/requirements/aiohttp-3.12.14
• dependabot/pip/agent/requirements/black-25.1.0
• dependabot/pip/agent/requirements/flake8-7.2.0
• dependabot/pip/agent/requirements/isort-6.0.0
• dependabot/pip/agent/requirements/pip-compile-multi-2.8.0
• dependabot/pip/agent/requirements/pytest-asyncio-0.25.0
• dependabot/pip/agent/requirements/pytest-asyncio-0.26.0
• dependabot/pip/agent/requirements/sentry-sdk-2.21.0
• dependabot/pip/agent/requirements/sentry-sdk-2.22.0
• dependabot/pip/agent/requirements/sentry-sdk-2.24.0
• dependabot/pip/agent/requirements/sentry-sdk-2.24.1
• dependabot/pip/agent/requirements/tox-4.25.0
• dependabot/pip/requirements/auth0-python-4.8.0
• dependabot/pip/requirements/connexion-3.2.0
• dependabot/pip/requirements/cryptography-44.0.1
• dependabot/pip/requirements/deps-7b3319e34f
• dependabot/pip/requirements/flake8-7.2.0
• dependabot/pip/requirements/google-cloud-storage-2.19.0
• dependabot/pip/requirements/google-cloud-storage-3.0.0
• dependabot/pip/requirements/hypothesis-6.122.3
• dependabot/pip/requirements/hypothesis-6.130.3
• dependabot/pip/requirements/hypothesis-6.130.5
• dependabot/pip/requirements/hypothesis-6.131.0
• dependabot/pip/requirements/mozilla-version-3.2.0
• dependabot/pip/requirements/pip-compile-multi-3.1.0
• dependabot/pip/requirements/pyjwt-2.10.1
• dependabot/pip/requirements/pytest-asyncio-0.25.0
• dependabot/pip/requirements/pytest-asyncio-0.26.0
• dependabot/pip/requirements/python-jose-3.4.0
• dependabot/pip/requirements/requests-2.32.4
• dependabot/pip/requirements/sentry-sdk-flask--2.21.0
• dependabot/pip/requirements/sentry-sdk-flask--2.22.0
• dependabot/pip/requirements/sentry-sdk-flask--2.24.0
• dependabot/pip/requirements/sentry-sdk-flask--2.24.1
• dependabot/pip/requirements/setuptools-75.6.0
• dependabot/pip/requirements/setuptools-76.0.0
• dependabot/pip/requirements/setuptools-78.1.0
• dependabot/pip/requirements/setuptools-79.0.0
• dependabot/pip/requirements/sqlalchemy-2.0.37
• dependabot/pip/requirements/sqlalchemy-2.0.38
• dependabot/pip/requirements/sqlalchemy-2.0.39
• dependabot/pip/requirements/sqlalchemy-2.0.40
• dependabot/pip/requirements/tox-4.24.1
• dependabot/pip/requirements/tox-4.25.0
• dependabot/uv/client/filelock-3.20.3
• dependabot/uv/client/urllib3-2.6.3
• dependabot/uv/client/virtualenv-20.36.1
• dependabot/uv/filelock-3.20.3
• dependabot/uv/pyasn1-0.6.2
• dependabot/uv/python-multipart-0.0.22
• dependabot/uv/virtualenv-20.36.1
• dependabot/uv/werkzeug-3.1.5
• deps
• deps-20241212
• deps-20250109
• deps-20250311
• deps-20250320
• deps-20250403
• deps-20250612
• deps-20251113
• disable-error-overlay
• docs-fix-documentation-around-
• docs-fix-rendering-of-table-of
• docs-fixes
• dont-create-empty-transactions
• dotenv
• drop-py39
• error-handlers
• etoomanyosversions
• fast-refresh
• feat-capture-and-send-metrics-
• fix-auth0-auth-expiry
• fix-auth0-warning
• fix-bug-2043228-allow-renovate
• fix-change-lockfilemaintenance
• fix-doc-link
• fix-guardian-db-fixture
• fix-interceptors-leak
• fix-minTime
• fix-move-aus-api.mozilla.org-d
• fix-refresh-token-not-trying-to-refresh
• fix-rule-cards-always-having-disabled-actions
• fix-ssl-config
• fix-use-csp-compatible-name-fo
• fix-uv-locked
• fix-version-in-decision-task
• flask-error-handler
• flask-request
• flask_app
• flaskapp
• frontend-deps
• gunicorn
• handleGeneralExceptions
• heads/refs/heads/main
• hneiva/3.107
• hneiva/black-update
• hneiva/bump
• hneiva/docs-infra
• hneiva/fix-backend-docker
• hneiva/repin
• hneiva/tox-upgrade
• hneiva/vbump
• honey-i-shrunk-the-diffs
• hypothesis-pin
• i-love-shell-programming
• ignore-auth0-errors
• ignore-coveralls-failures
• insert-a-joke-about-leftpad-here
• issue3345
• issue3387
• issue3567
• issue3746
• its-dangerous-to-go-alone-take-this-state
• jest
• js-reduce-overscan
• json-apprelease
• list-rules-wildcards
• localdev-mysql-interval
• main
• make-ciscotest-permanent
• minor-doc-updates-around-deplo
• more-unused-stuff
• move-deploy-config
• nginx-rewrite-api
• no-compress
• no-explicit-autoincrement-insert
• no-refresh-tokens
• omit-omit
• oops-forgot-some-garbage
• opt-get-releases
• opt-js-filter-releases
• opt-js-remove-finds-in-rules
• opt-js-virtual-rendering
• optimize-db-dump-query
• orjson
• patch-1
• patch-3
• pip-compile-multi-uv
• pip-warnings
• post-release-bump
• pr-complete
• prop-types-gone
• push-kspsyxyvzxlm
• push-ktlvmuwzmmku
• push-kuzotqomuqsu
• push-kxqrywwkroyk
• push-lpwrtlyptpuo
• push-lskwuwlyzsuq
• push-lxvuyvlvozsn
• push-mtwtkyslmszz
• push-mvrypxsmqxyz
• push-myoutovxkoxq
• push-noukootkpnov
• push-nurtwknyysvz
• push-nzprtvtyuvss
• push-pkmnutnxosww
• push-psrxtntrlwky
• push-psxzpyzyslpk
• push-qkrluwnwqkrl
• push-qpxyuxyuxunw
• push-qtoqstsxyuot
• push-quqtwozkovvp
• push-qwwxzosvwkno
• push-sprtttypyyzk
• push-szunttnpnkul
• push-tlqmtqtyrlyk
• push-tmmsyrnmonkl
• push-tqmrvkuqqryp
• push-txswrroxrkyr
• push-uoyyzvzqmtsw
• push-uppyvvonzzto
• push-uxqvqslzwzkw
• push-vouxxqqovosp
• push-vynzoznvykqq
• push-wpnxuxpuwvol
• push-wqtoxvrmnnts
• push-xnmtlmxkzmuv
• push-xnpvzrtvrmxt
• push-xrznnuxxqupy
• push-ylskmyrmzltr
• push-yqnnuysoyrkn
• push-yuyxsqvuvorx
• push-yywslzkxunxs
• push-zkspnmxpyyvy
• push-zwkqnnxyxxuk
• push-zymsuryzunpu
• py313
• pydeps
• pytest-config
• python-deps
• query-release-mapping
• ramda
• re-enable-refresh-tokens
• react-comment-smash-that-bell
• react-number-format
• redis-retry
• refresh-tokens-third-times-the-charm
• reject-empty-pin
• reland-auth0
• release-thread-safety
• remove-docker-compose-indirection
• remove-dotenv
• remove-engines-package-json
• remove-html-loader
• remove-mozilla-frontend-infra-components
• remove-mui-lab
• remove-old-auth0-config
• remove-react-router-dom
• remove-style-loader
• remove-taskgraph-ui-deploy-tas
• remove-useless-babel-plugin
• remove-useless-dep
• remove-worker-loader
• remove-yet-another-dep
• renovate/actions-checkout-6.x
• renovate/actions-checkout-digest
• renovate/actions-setup-node-digest
• renovate/black-26.x
• renovate/configure
• renovate/debian-13.x
• renovate/debian-trixie
• renovate/diff-9.x
• renovate/docker-dependencies
• renovate/docker-login-action-3.x
• renovate/docker-login-action-4.x
• renovate/ghcr.io-astral-sh-uv-python3.13-trixie-slim
• renovate/github-actions
• renovate/golang-1.25
• renovate/golang-1.26
• renovate/google-github-actions-auth-3.x
• renovate/js-dependencies
• renovate/lock-file-maintenance-agent/pyproject.toml
• renovate/lock-file-maintenance-client/pyproject.toml
• renovate/lock-file-maintenance-npm
• renovate/lock-file-maintenance-pep621
• renovate/mozilla-autograph-latest
• renovate/mozillareleases-taskgraph-14.x
• renovate/mozillareleases-taskgraph-18.x
• renovate/mozillareleases-taskgraph-23.x
• renovate/mozillareleases-taskgraph-24.x
• renovate/mui-icons-material-9.x
• renovate/mui-material-9.x
• renovate/mui-system-9.x
• renovate/mui-x-date-pickers-9.x
• renovate/mysql-8.0-debian
• renovate/nginx-1.29
• renovate/node-24
• renovate/node-24.x
• renovate/npm-axios-vulnerability
• renovate/npm-qs-vulnerability
• renovate/npm-webpack-dev-server-vulnerability
• renovate/pin-dependencies
• renovate/pypi-black-vulnerability
• renovate/python-3.13-slim-bookworm
• renovate/python-dependencies
• renovate/redis-8-alpine
• renovate/setuptools-82.x
• renovate/sqlalchemy-2.x
• renovate/webpack-cli-7.x
• restore-utf8-locale-in-containers
• revert-3458-pip-compile-multi-uv
• revert-3466-dotenv
• revert-auth0
• revert-ciscotest
• revert-connexion3
• revert-read-only-support
• revert-refreh-tokens-again
• rtd-uv
• rull-diff-edit
• sc-rs-fix
• sentry-ignore-validation-errors
• setuptools
• shutoff-signoff
• sphinx
• split-python-lints
• sqlite-threads
• staging
• staging-update
• statsd-pipeline
• taskgraph
• test-recursive-json
• tests-without-app
• trixie
• try-buildkite
• unpin-deps
• update-deps
• update-python-deps
• update-version
• updates-disabled-cache
• uv
• uv-lock-3.107
• uv-locked-backend-tests
• vBump
• vbump
• version-bump
• version_bump
• virtual-dom-deps
• vpn-strictversion
• warn-once
• we-dont-need-two-diff-libraries
• webpack
• who-cleans-the-cleaner
• why-did-it-take-me-so-long-to-fix-this
• xz-oom-fix-maybe-perhaps-probably-this-time-for-sure
• zizmor-auto-fixes

Build # #5624

Build Type

Pull #3836

circleci

Committed by bhearsum

Commit Message

fix: require signoff when modifying only a base release or only adding a new asset

We received a report that demonstrated that assets can be inserted or modified for protected releases could be inserted without signoff. It turns out that the check being fix here was broken in two ways:
1) It only required signoff if the base blob _and_ and an asset were being modified
2) It didn't compare assets correctly at all, so `current_assets != new_assets` was always true (this meant that #1 was mitigated...but only because of this bug).

This addresses both issues, and fixes https://bugzilla.mozilla.org/show_bug.cgi?id=2047458.

Pull Request Pull Request #3836: fix: require signoff when modifying only a base release or only adding a new asset

Coverage Stats

2192 of 2574 branches covered (85.16%)

Branch coverage included in aggregate %.

3 of 3 new or added lines in 1 file covered. (100.0%)

5770 of 6278 relevant lines covered (91.91%)

0.92 hits per line