Update taskcluster requirement from >=24.0.0 to >=99.2.0

[dependabot]

Updates the requirements on taskcluster to permit the latest version.

Release notes

Sourced from taskcluster's releases.

v99.2.0

DEPLOYERS

▶ [minor] #8243 Add optional Kubernetes Gateway API support (Gateway, HTTPRoute, HealthCheckPolicy) as an alternative to the existing Ingress resource. These new resources are only rendered when ingressType: gateway is set in Helm values, so existing Ingress-based deployments are unaffected and no new CRDs or skipResourceTypes entries are required.

To adopt Gateway API for traffic routing, set ingressType: gateway along with gatewayClassName, and for GKE regional external ALBs, gatewayStaticIpName and gcpManagedCertName. Both Ingress and Gateway API resources will be rendered side-by-side, letting you migrate at your own pace; add ingress to skipResourceTypes once the Gateway setup is validated to stop rendering the legacy Ingress.

See the Gateway API section of the dev deployment docs for setup instructions.

▶ [patch] #8526 Fixed the Azure provider's deprovisionResource wasting a worker-scanner cycle per resource when the backing VM/NIC/IP/disk had already been removed out-of-band (e.g. ARM cascade-delete via deleteOption: 'Delete', Spot preemption). Previously the pre-flight GET was skipped whenever the worker still had a stored id, so the scanner fired a no-op beginDelete first and only discovered the resource was gone on the following cycle. The helper now always performs the pre-flight GET, so a missing resource is marked deleted immediately and the reap chain continues in a single cycle, shortening the STOPPING tail for affected Azure pools.

▶ [patch] The default sendDeadline for the pulse publisher has been raised from 12 seconds to 30 seconds. Under load, RabbitMQ blocking and client reconnects could consume most of the 12-second budget before a single publish-confirm round-trip completed, causing cascading PulsePublisher.sendDeadline exceeded errors. The new default gives more headroom while still remaining below typical HTTP proxy timeouts. Services can override this per-publisher via the sendDeadline option to exchanges.publisher().

▶ [patch] bug 2028956 Worker Manager's Azure registration flow now restricts intermediate certificate downloads to trusted certificate distribution endpoints and records rejected certificate URLs in service logs.

WORKER-DEPLOYERS

▶ [patch] bug 2032277 worker-runner now tightens the permissions of its configuration file (typically runner.yml / worker-runner.json) to be readable only by its owner before reading it, and logs a warning if the file was previously group- or world-readable. This closes an exposure where a task running on a worker using the static provider could read the staticSecret out of a loosely-permissioned runner config and impersonate the worker via registerWorker. Worker deployers using the static provider should update their provisioning so the runner config is created with mode 0600 (or the equivalent owner-only ACL on Windows) from the start.

USERS

▶ [patch] #8534 Fix a 500 raised from hooks.triggerHook when a hook's task template evaluates to nothing. The endpoint now correctly replies with an empty object in that case.

▶ [patch] #8529 Fix a bug in queue.createTask where idempotent retries could insert multiple rows into the queue_task_deadlines table for a single task. Once those duplicates became visible, several deadline-resolver instances could pick up the same task concurrently, the first cancelled it, and the others crashed because they assumed they were the only one working on the cancellation of said task. A new unique constraint on task_id now prevents duplicate deadline rows, and the migration deduplicates any existing stale rows.

OTHER

▶ Additional changes not described here: #3684, #8540.

Automated Package Updates

• build(deps): bump postcss from 8.5.6 to 8.5.10 (97fbba720e)

... (truncated)

Changelog

Sourced from taskcluster's changelog.

v99.2.0

DEPLOYERS

▶ [minor] #8243 Add optional Kubernetes Gateway API support (Gateway, HTTPRoute, HealthCheckPolicy) as an alternative to the existing Ingress resource. These new resources are only rendered when ingressType: gateway is set in Helm values, so existing Ingress-based deployments are unaffected and no new CRDs or skipResourceTypes entries are required.

To adopt Gateway API for traffic routing, set ingressType: gateway along with gatewayClassName, and for GKE regional external ALBs, gatewayStaticIpName and gcpManagedCertName. Both Ingress and Gateway API resources will be rendered side-by-side, letting you migrate at your own pace; add ingress to skipResourceTypes once the Gateway setup is validated to stop rendering the legacy Ingress.

See the Gateway API section of the dev deployment docs for setup instructions.

▶ [patch] #8526 Fixed the Azure provider's deprovisionResource wasting a worker-scanner cycle per resource when the backing VM/NIC/IP/disk had already been removed out-of-band (e.g. ARM cascade-delete via deleteOption: 'Delete', Spot preemption). Previously the pre-flight GET was skipped whenever the worker still had a stored id, so the scanner fired a no-op beginDelete first and only discovered the resource was gone on the following cycle. The helper now always performs the pre-flight GET, so a missing resource is marked deleted immediately and the reap chain continues in a single cycle, shortening the STOPPING tail for affected Azure pools.

▶ [patch] The default sendDeadline for the pulse publisher has been raised from 12 seconds to 30 seconds. Under load, RabbitMQ blocking and client reconnects could consume most of the 12-second budget before a single publish-confirm round-trip completed, causing cascading PulsePublisher.sendDeadline exceeded errors. The new default gives more headroom while still remaining below typical HTTP proxy timeouts. Services can override this per-publisher via the sendDeadline option to exchanges.publisher().

▶ [patch] bug 2028956 Worker Manager's Azure registration flow now restricts intermediate certificate downloads to trusted certificate distribution endpoints and records rejected certificate URLs in service logs.

WORKER-DEPLOYERS

▶ [patch] bug 2032277 worker-runner now tightens the permissions of its configuration file (typically runner.yml / worker-runner.json) to be readable only by its owner before reading it, and logs a warning if the file was previously group- or world-readable. This closes an exposure where a task running on a worker using the static provider could read the staticSecret out of a loosely-permissioned runner config and impersonate the worker via registerWorker. Worker deployers using the static provider should update their provisioning so the runner config is created with mode 0600 (or the equivalent owner-only ACL on Windows) from the start.

USERS

▶ [patch] #8534 Fix a 500 raised from hooks.triggerHook when a hook's task template evaluates to nothing. The endpoint now correctly replies with an empty object in that case.

▶ [patch] #8529 Fix a bug in queue.createTask where idempotent retries could insert multiple rows into the queue_task_deadlines table for a single task. Once those duplicates became visible, several deadline-resolver instances could pick up the same task concurrently, the first cancelled it, and the others crashed because they assumed they were the only one working on the cancellation of said task. A new unique constraint on task_id now prevents duplicate deadline rows, and the migration deduplicates any existing stale rows.

OTHER

▶ Additional changes not described here: #3684, #8540.

Automated Package Updates

... (truncated)

Commits

• bc2efe2 v99.2.0
• 5d4848c Merge pull request #8541 from Kelpy2004/codex/fix-worker-manager-doc-links
• 920cfd0 Add changelog entry for issue 8540
• a8166c8 Fix worker-manager provider doc links
• 4f09a7e Merge pull request #8539 from taskcluster/dependabot/npm_and_yarn/postcss-8.5.10
• 97fbba7 build(deps): bump postcss from 8.5.6 to 8.5.10
• 34b5d3d Merge pull request #8538 from taskcluster/dependabot/cargo/clients/client-rus...
• ae9c062 build(deps): bump rustls-webpki in /clients/client-rust
• e1ecd49 Merge pull request #8535 from Eijebong/fix-deadline-uniqueness
• f43d17b Catch cancellation no-ops early in the deadline resolver
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)