escapewindow/gist:19e81c290b665a6bf5c358222c16f654

## gistfile1.txt
diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml
--- a/taskcluster/ci/config.yml
+++ b/taskcluster/ci/config.yml
@@ -465,17 +465,20 @@ workers:
             implementation: docker-worker
             os: linux
             worker-type: misc


 mac-notarization:
     mac-behavior:
         by-project:
-            mozilla-(central|beta|release|esr.*): mac_notarize
+            mozilla-(central|beta|release|esr.*):
+                by-shippable:
+                    true: mac_notarize
+                    default: mac_sign_and_pkg
             default: mac_sign_and_pkg
     mac-entitlements:
         by-platform:
             macosx64.*:
                 by-release-level:
                     production: security/mac/hardenedruntime/production.entitlements.xml
                     default: security/mac/hardenedruntime/developer.entitlements.xml
             default: ''
diff --git a/taskcluster/taskgraph/config.py b/taskcluster/taskgraph/config.py
--- a/taskcluster/taskgraph/config.py
+++ b/taskcluster/taskgraph/config.py
@@ -83,17 +83,17 @@ graph_config_schema = Schema({
                 Required('implementation'): text_type,
                 Required('os'): text_type,
                 Required('worker-type'): optionally_keyed_by('level', 'release-level', text_type),
             }
         },
     },
     Required('mac-notarization'): {
         Required('mac-behavior'):
-            optionally_keyed_by('project',
+            optionally_keyed_by('project', 'shippable',
                                 Any('mac_notarize', 'mac_geckodriver', 'mac_sign',
                                     'mac_sign_and_pkg')),
         Required('mac-entitlements'):
             optionally_keyed_by('platform', 'release-level', text_type),
     },
     Required("taskgraph"): {
         Optional(
             "register",
diff --git a/taskcluster/taskgraph/transforms/signing.py b/taskcluster/taskgraph/transforms/signing.py
--- a/taskcluster/taskgraph/transforms/signing.py
+++ b/taskcluster/taskgraph/transforms/signing.py
@@ -179,17 +179,20 @@ def make_task_description(config, jobs):
             'shipping-product': job.get('shipping-product'),
             'shipping-phase': job.get('shipping-phase'),
         }

         if 'macosx' in build_platform:
             mac_behavior = evaluate_keyed_by(
                 config.graph_config['mac-notarization']['mac-behavior'],
                 'mac behavior',
-                {'project': config.params['project']},
+                {
+                    'project': config.params['project'],
+                    'shippable': "shippable" in attributes and attributes["shippable"],
+                },
             )
             if mac_behavior == 'mac_notarize':
                 if 'part-1' in config.kind:
                     mac_behavior = 'mac_notarize_part_1'
                 elif config.kind.endswith('signing'):
                     mac_behavior = 'mac_notarize_part_3'
                 else:
                     raise Exception("Unknown kind {} for mac_behavior!".format(config.kind))
	diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml
	--- a/taskcluster/ci/config.yml
	+++ b/taskcluster/ci/config.yml
	@@ -465,17 +465,20 @@ workers:
	implementation: docker-worker
	os: linux
	worker-type: misc


	mac-notarization:
	mac-behavior:
	by-project:
	- mozilla-(central\|beta\|release\|esr.*): mac_notarize
	+ mozilla-(central\|beta\|release\|esr.*):
	+ by-shippable:
	+ true: mac_notarize
	+ default: mac_sign_and_pkg
	default: mac_sign_and_pkg
	mac-entitlements:
	by-platform:
	macosx64.*:
	by-release-level:
	production: security/mac/hardenedruntime/production.entitlements.xml
	default: security/mac/hardenedruntime/developer.entitlements.xml
	default: ''
	diff --git a/taskcluster/taskgraph/config.py b/taskcluster/taskgraph/config.py
	--- a/taskcluster/taskgraph/config.py
	+++ b/taskcluster/taskgraph/config.py
	@@ -83,17 +83,17 @@ graph_config_schema = Schema({
	Required('implementation'): text_type,
	Required('os'): text_type,
	Required('worker-type'): optionally_keyed_by('level', 'release-level', text_type),
	}
	},
	},
	Required('mac-notarization'): {
	Required('mac-behavior'):
	- optionally_keyed_by('project',
	+ optionally_keyed_by('project', 'shippable',
	Any('mac_notarize', 'mac_geckodriver', 'mac_sign',
	'mac_sign_and_pkg')),
	Required('mac-entitlements'):
	optionally_keyed_by('platform', 'release-level', text_type),
	},
	Required("taskgraph"): {
	Optional(
	"register",
	diff --git a/taskcluster/taskgraph/transforms/signing.py b/taskcluster/taskgraph/transforms/signing.py
	--- a/taskcluster/taskgraph/transforms/signing.py
	+++ b/taskcluster/taskgraph/transforms/signing.py
	@@ -179,17 +179,20 @@ def make_task_description(config, jobs):
	'shipping-product': job.get('shipping-product'),
	'shipping-phase': job.get('shipping-phase'),
	}

	if 'macosx' in build_platform:
	mac_behavior = evaluate_keyed_by(
	config.graph_config['mac-notarization']['mac-behavior'],
	'mac behavior',
	- {'project': config.params['project']},
	+ {
	+ 'project': config.params['project'],
	+ 'shippable': "shippable" in attributes and attributes["shippable"],
	+ },
	)
	if mac_behavior == 'mac_notarize':
	if 'part-1' in config.kind:
	mac_behavior = 'mac_notarize_part_1'
	elif config.kind.endswith('signing'):
	mac_behavior = 'mac_notarize_part_3'
	else:
	raise Exception("Unknown kind {} for mac_behavior!".format(config.kind))