mozilla · jcristau · Feb 11, 2026 · Feb 11, 2026
diff --git a/taskcluster/config.yml b/taskcluster/config.yml
@@ -413,6 +413,7 @@ try:
 release-promotion:
     products:
         - 'devedition'
+        - 'enterprise-firefox'
         - 'fennec'
         - 'firefox'
         - 'firefox-android'

diff --git a/taskcluster/gecko_taskgraph/actions/registry.py b/taskcluster/gecko_taskgraph/actions/registry.py
@@ -6,6 +6,7 @@
 from types import FunctionType
 
 from mozbuild.util import memoize
+from mozilla_repo_urls import parse
 from taskgraph import create
 from taskgraph.config import load_graph_config
 from taskgraph.parameters import Parameters
@@ -168,13 +169,17 @@ def action_builder(parameters, graph_config, decision_task_id):
                 return None
 
             # gather up the common decision-task-supplied data for this action
-            repo_param = "{}head_repository".format(
+            base_repo_param = "{}base_repository".format(
+                graph_config["project-repo-param-prefix"]
+            )
+            head_repo_param = "{}head_repository".format(
                 graph_config["project-repo-param-prefix"]
             )
             repository = {
-                "url": parameters[repo_param],
+                "url": parameters[head_repo_param],
                 "project": parameters["project"],
                 "level": parameters["level"],
+                "base_url": parameters[base_repo_param],
             }
 
             revision = parameters[
@@ -236,10 +241,15 @@ def action_builder(parameters, graph_config, decision_task_id):
             if "/" in permission:
                 raise Exception("`/` is not allowed in action names; use `-`")
 
+            if parameters["tasks_for"].startswith("github-pull-request"):
+                hookId = f"in-tree-pr-action-{level}-{permission}/{tcyml_hash}"
+            else:
+                hookId = f"in-tree-action-{level}-{permission}/{tcyml_hash}"
+
             rv.update({
                 "kind": "hook",
                 "hookGroupId": f"project-{trustDomain}",
-                "hookId": f"in-tree-action-{level}-{permission}/{tcyml_hash}",
+                "hookId": hookId,
                 "hookPayload": {
                     # provide the decision-task parameters as context for triggerHook
                     "decision": {
@@ -312,15 +322,20 @@ def sanity_check_task_scope(callback, parameters, graph_config):
     else:
         raise Exception(f"No action with cb_name {callback}")
 
-    repo_param = "{}head_repository".format(graph_config["project-repo-param-prefix"])
-    head_repository = parameters[repo_param]
-    expected_scope = f"assume:repo:{head_repository[8:]}:action:{action.permission}"
+    base_repo_param = "{}base_repository".format(graph_config["project-repo-param-prefix"])
+    parsed_base_url = parse(parameters[base_repo_param])
+    head_repo_param = "{}head_repository".format(graph_config["project-repo-param-prefix"])
+    parsed_head_url = parse(parameters[head_repo_param])
+    action_scope = f"assume:{parsed_head_url.taskcluster_role_prefix}:action:{action.permission}"
+    pr_action_scope = f"assume:{parsed_base_url.taskcluster_role_prefix}:pr-action:{action.permission}"
 
     # the scope should appear literally; no need for a satisfaction check. The use of
     # get_current_scopes here calls the auth service through the Taskcluster Proxy, giving
     # the precise scopes available to this task.
-    if expected_scope not in taskcluster.get_current_scopes():
-        raise Exception(f"Expected task scope {expected_scope} for this action")
+    if not set((action_scope, pr_action_scope)) & set(taskcluster.get_current_scopes()):
+        raise ValueError(
+            f"Expected task scope {action_scope} or {pr_action_scope} for this action"
+        )
 
 
 def trigger_action_callback(

diff --git a/taskcluster/gecko_taskgraph/target_tasks.py b/taskcluster/gecko_taskgraph/target_tasks.py
@@ -491,6 +491,9 @@ def filter(task):
         ):
             return False
 
+        if task.attributes.get("shipping_product") not in (None, "enterprise-firefox"):
+            return False
+
         build_platform = task.attributes.get("build_platform")
         build_type = task.attributes.get("build_type")
         shippable = task.attributes.get("shippable", False)

diff --git a/taskcluster/gecko_taskgraph/util/taskgraph.py b/taskcluster/gecko_taskgraph/util/taskgraph.py
@@ -6,20 +6,30 @@
 Tools for interacting with existing taskgraphs.
 """
 
+from taskcluster import TaskclusterRestFailure
 from taskgraph.util.taskcluster import find_task_id, get_artifact
 
 
 def find_decision_task(parameters, graph_config):
     """Given the parameters for this action, find the taskId of the decision
     task"""
     head_rev_param = "{}head_rev".format(graph_config["project-repo-param-prefix"])
-    return find_task_id(
-        "{}.v2.{}.revision.{}.taskgraph.decision".format(
-            graph_config["trust-domain"],
-            parameters["project"],
-            parameters[head_rev_param],
+    try:
+        return find_task_id(
+            "{}.v2.{}.revision.{}.taskgraph.decision".format(
+                graph_config["trust-domain"],
+                parameters["project"],
+                parameters[head_rev_param],
+            )
+        )
+    except TaskclusterRestFailure:
+        return find_task_id(
+            "{}.v2.{}-pr.revision.{}.taskgraph.decision".format(
+                graph_config["trust-domain"],
+                parameters["project"],
+                parameters[head_rev_param],
+            )
         )
-    )
 
 
 def find_existing_tasks(previous_graph_ids):

diff --git a/taskcluster/kinds/build/linux.yml b/taskcluster/kinds/build/linux.yml
@@ -62,7 +62,7 @@ linux64-enterprise-shippable/opt:
         enable-build-signing: true
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
+    shipping-product: enterprise-firefox
     treeherder:
         platform: linux64-enterprise-shippable/opt
         symbol: Bpgo(Bent)
@@ -114,7 +114,6 @@ linux64-enterprise/opt:
     attributes:
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
     treeherder:
         platform: linux64-enterprise/opt
         symbol: Bent
@@ -1875,7 +1874,7 @@ linux64-aarch64-enterprise-shippable/opt:
         enable-full-crashsymbols: true
         skip-verify-test-packaging: true
     shipping-phase: build
-    shipping-product: firefox
+    shipping-product: enterprise-firefox
     treeherder:
         platform: linux64-aarch64-enterprise-shippable/opt
         symbol: Bpgo(Bent)

diff --git a/taskcluster/kinds/build/macosx.yml b/taskcluster/kinds/build/macosx.yml
@@ -217,7 +217,7 @@ macosx64-enterprise-shippable/opt:
         enable-build-signing: true
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
+    shipping-product: enterprise-firefox
     treeherder:
         platform: osx-cross-enterprise-shippable/opt
         symbol: Bpgo(Bent)
@@ -256,7 +256,6 @@ macosx64-enterprise/opt:
         enable-build-signing: true
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
     treeherder:
         platform: osx-cross-enterprise/opt
         symbol: Bent

diff --git a/taskcluster/kinds/build/windows.yml b/taskcluster/kinds/build/windows.yml
@@ -485,7 +485,7 @@ win64-enterprise-shippable/opt:
         enable-build-signing: true
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
+    shipping-product: enterprise-firefox
     treeherder:
         platform: windows2012-64-enterprise-shippable/opt
         symbol: Bpgo(Bent)
@@ -541,7 +541,6 @@ win64-enterprise/opt:
         enable-build-signing: true
         enable-full-crashsymbols: true
     shipping-phase: build
-    shipping-product: firefox
     treeherder:
         platform: windows2012-64-enterprise/opt
         symbol: Bent

diff --git a/taskcluster/kinds/enterprise-repack-mac-notarization/kind.yml b/taskcluster/kinds/enterprise-repack-mac-notarization/kind.yml
@@ -24,6 +24,6 @@ tasks:
         from-deps:
             group-by: partner-repack-ids
             copy-attributes: true
-        shipping-product: firefox
+        shipping-product: enterprise-firefox
         # TODO: shipping-phase: promote
         copy-repack-ids: true
diff --git a/taskcluster/kinds/enterprise-repack-mac-signing/kind.yml b/taskcluster/kinds/enterprise-repack-mac-signing/kind.yml
@@ -23,6 +23,6 @@ tasks:
     enterprise-repack-mac-signing:
         from-deps:
             group-by: partner-repack-ids
-        shipping-product: firefox
+        shipping-product: enterprise-firefox
         # TODO: shipping-phase: promote
         repacks-per-chunk: 1
diff --git a/taskcluster/kinds/enterprise-repack/kind.yml b/taskcluster/kinds/enterprise-repack/kind.yml
@@ -30,7 +30,7 @@ task-defaults:
             in-tree: "partner-repack"
         chain-of-trust: true
         max-run-time: 7200
-    shipping-product: firefox
+    shipping-product: enterprise-firefox
     shipping-phase: build
     run:
         using: mozharness