escapewindow/gist:87c8fe39aefd49ae35cc3673d31e95e9

## gistfile1.txt
Thanks for the work so far! I know this is a trickier thing to port.

diff --git a/taskcluster/ci/docker-image/kind.yml b/taskcluster/ci/docker-image/kind.yml
--- a/taskcluster/ci/docker-image/kind.yml
+++ b/taskcluster/ci/docker-image/kind.yml
@@ -27,8 +27,10 @@ jobs:
   index-task:
     symbol: I(idx)
   funsize-update-generator:
     symbol: I(pg)
   funsize-balrog-submitter:
     symbol: I(fbs)
   beet-mover:
     symbol: I(bm)
+  update-verify:
+    symbol: I(uv)
diff --git a/taskcluster/ci/release-update-verify/kind.yml b/taskcluster/ci/release-update-verify/kind.yml
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/release-update-verify/kind.yml
@@ -0,0 +1,49 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+loader: taskgraph.loader.transform:loader
+
+# TODO: we probably hove some of these?
+#kind-dependencies:

Yeah, our upstream. Once we have this, we can *possibly* add taskgraph.transforms.release_deps:transforms in our transforms list below, assuming both the upstream kind and this one have the product set appropriately.

+
+transforms:
+    #- taskgraph.transforms.update_verify:transforms
+    - taskgraph.transforms.task:transforms
+
+jobs:
+   update-verify:

We may want to call this "firefox". We'll need a separate set for "devedition"

+      #label: "{platform}-update-verify-{this_chunk}-{total_chunks}"
+      label: update-verify-placeholder
+      name: update-verify
+      description: update verify
+      worker-type: aws-provisioner-v1/gecko-{level}-b-linux
+      run-on-projects: []
+      worker:
+         implementation: docker-worker
+         os: linux
+         docker-image:
+            in-tree: "update-verify"
+         max-run-time: 7200
+         command:
+            - /bin/bash
+            - -c
+            - hg clone {release_config[build_tools_repo]} tools && cd tools && hg up -r $TAG && cd .. && tools/scripts/release/updates/chunked-verify.sh UNUSED UNUSED {total_chunks} {this_chunk}
+      notifications:
+         completed:
+            #subject: "{config[params][project]} {release_config[version]} build{release_config[build_number]} {platform} beta update verification {this_chunk}/{total_chunks}"
+            #message: "{config[params][project]} {release_config[version]} build{release_config[build_number]} {platform} beta update verification {this_chunk}/{total_chunks} completed successfully"
+            subject: fixme
+            message: fixme
+            ids:
+               by-project:
+                  maple:
+                     - "release-drivers-staging"
+                  try:
+                     #- "{task[tags][createdForUser]}"

This is a bad pattern we're copying: https://bugzilla.mozilla.org/show_bug.cgi?id=1412690#c58
Ideally Rok and I can address that sooner so we don't continue this.

+                  default:
+                     - "release-drivers"
+      extra:
+          product: firefox
+      attributes:
+          kind: release-update-verify
diff --git a/taskcluster/docker/update-verify/Dockerfile b/taskcluster/docker/update-verify/Dockerfile
new file mode 100644
--- /dev/null
+++ b/taskcluster/docker/update-verify/Dockerfile
@@ -0,0 +1,11 @@
+FROM python:2-slim-stretch
+
+MAINTAINER release@mozilla.com
+
+RUN apt-get -q update \
+    # p7zip-full is for extracting Windows and OS X packages
+    # Mercurial and Git are for cloning required repositories
+    # wget is for downloading update.xml, installers, and MARs
+    # libgtk-3-0 is required to run the Firefox updater
+    && apt-get -q --yes install p7zip-full git mercurial wget libgtk-3-0 \
+    && apt-get clean
diff --git a/taskcluster/docs/kinds.rst b/taskcluster/docs/kinds.rst
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -234,16 +234,20 @@ Submits bouncer updates for releases.
 release-mark-as-shipped
 -----------------------
 Marks releases as shipped in Ship-It.

 release-bouncer-aliases
 ------------------------------
 Update Bouncers (download.mozilla.org) "latest" aliases.

+release-update-verify
+---------------------
+todo
+
 release-uptake-monitoring
 -------------------------
 Run uptake monitoring for releases.

 release-version-bump
 --------------------
 Bumps to the next version.

diff --git a/taskcluster/taskgraph/target_tasks.py b/taskcluster/taskgraph/target_tasks.py
--- a/taskcluster/taskgraph/target_tasks.py
+++ b/taskcluster/taskgraph/target_tasks.py
@@ -311,16 +311,17 @@ def target_tasks_mozilla_beta_desktop_pr

     beta_tasks = [l for l, t in full_task_graph.tasks.iteritems() if
                   filter_beta_release_tasks(t, parameters,
                                             ignore_kinds=[],
                                             allow_l10n=True)]
     allow_kinds = [
         'build', 'build-signing', 'repackage', 'repackage-signing',
         'nightly-l10n', 'nightly-l10n-signing', 'repackage-l10n',
+        'release-update-verify'
     ]

I don't think this will do anything, since release-update-verify has run-on-projects set to []. That's why we have the additional block to explicitly add certain kinds below.

     def filter(task):
         platform = task.attributes.get('build_platform')

         # Android has its own promotion.
         if platform and 'android' in platform:
             return False
@@ -329,16 +330,18 @@ def target_tasks_mozilla_beta_desktop_pr
             return False

         # Allow for beta_tasks; these will get optimized out to point to
         # the previous graph using ``previous_graph_ids`` and
         # ``previous_graph_kinds``.
         if task.label in beta_tasks:
             return True

+        if task.kind in ('release-update-verify',):
+            return True

This looks good, except we will likely have devedition release-update-verify at some point, and we don't want devedition update-verify to run during firefox graphs or vice versa. Let's filter by product as well... examples are in the fennec target_tasks_methods.

         # TODO: partner repacks
         # TODO: source task
         # TODO: funsize, all but balrog submission
         # TODO: bbb update verify
         # TODO: tc update verify
         # TODO: beetmover push-to-candidates
         # TODO: binary transparency
         # TODO: bouncer sub
	Thanks for the work so far! I know this is a trickier thing to port.

	diff --git a/taskcluster/ci/docker-image/kind.yml b/taskcluster/ci/docker-image/kind.yml
	--- a/taskcluster/ci/docker-image/kind.yml
	+++ b/taskcluster/ci/docker-image/kind.yml
	@@ -27,8 +27,10 @@ jobs:
	index-task:
	symbol: I(idx)
	funsize-update-generator:
	symbol: I(pg)
	funsize-balrog-submitter:
	symbol: I(fbs)
	beet-mover:
	symbol: I(bm)
	+ update-verify:
	+ symbol: I(uv)
	diff --git a/taskcluster/ci/release-update-verify/kind.yml b/taskcluster/ci/release-update-verify/kind.yml
	new file mode 100644
	--- /dev/null
	+++ b/taskcluster/ci/release-update-verify/kind.yml
	@@ -0,0 +1,49 @@
	+# This Source Code Form is subject to the terms of the Mozilla Public
	+# License, v. 2.0. If a copy of the MPL was not distributed with this
	+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
	+
	+loader: taskgraph.loader.transform:loader
	+
	+# TODO: we probably hove some of these?
	+#kind-dependencies:

	Yeah, our upstream. Once we have this, we can possibly add taskgraph.transforms.release_deps:transforms in our transforms list below, assuming both the upstream kind and this one have the product set appropriately.

	+
	+transforms:
	+ #- taskgraph.transforms.update_verify:transforms
	+ - taskgraph.transforms.task:transforms
	+
	+jobs:
	+ update-verify:

	We may want to call this "firefox". We'll need a separate set for "devedition"

	+ #label: "{platform}-update-verify-{this_chunk}-{total_chunks}"
	+ label: update-verify-placeholder
	+ name: update-verify
	+ description: update verify
	+ worker-type: aws-provisioner-v1/gecko-{level}-b-linux
	+ run-on-projects: []
	+ worker:
	+ implementation: docker-worker
	+ os: linux
	+ docker-image:
	+ in-tree: "update-verify"
	+ max-run-time: 7200
	+ command:
	+ - /bin/bash
	+ - -c
	+ - hg clone {release_config[build_tools_repo]} tools && cd tools && hg up -r $TAG && cd .. && tools/scripts/release/updates/chunked-verify.sh UNUSED UNUSED {total_chunks} {this_chunk}
	+ notifications:
	+ completed:
	+ #subject: "{config[params][project]} {release_config[version]} build{release_config[build_number]} {platform} beta update verification {this_chunk}/{total_chunks}"
	+ #message: "{config[params][project]} {release_config[version]} build{release_config[build_number]} {platform} beta update verification {this_chunk}/{total_chunks} completed successfully"
	+ subject: fixme
	+ message: fixme
	+ ids:
	+ by-project:
	+ maple:
	+ - "release-drivers-staging"
	+ try:
	+ #- "{task[tags][createdForUser]}"

	This is a bad pattern we're copying: https://bugzilla.mozilla.org/show_bug.cgi?id=1412690#c58
	Ideally Rok and I can address that sooner so we don't continue this.

	+ default:
	+ - "release-drivers"
	+ extra:
	+ product: firefox
	+ attributes:
	+ kind: release-update-verify
	diff --git a/taskcluster/docker/update-verify/Dockerfile b/taskcluster/docker/update-verify/Dockerfile
	new file mode 100644
	--- /dev/null
	+++ b/taskcluster/docker/update-verify/Dockerfile
	@@ -0,0 +1,11 @@
	+FROM python:2-slim-stretch
	+
	+MAINTAINER release@mozilla.com
	+
	+RUN apt-get -q update \
	+ # p7zip-full is for extracting Windows and OS X packages
	+ # Mercurial and Git are for cloning required repositories
	+ # wget is for downloading update.xml, installers, and MARs
	+ # libgtk-3-0 is required to run the Firefox updater
	+ && apt-get -q --yes install p7zip-full git mercurial wget libgtk-3-0 \
	+ && apt-get clean
	diff --git a/taskcluster/docs/kinds.rst b/taskcluster/docs/kinds.rst
	--- a/taskcluster/docs/kinds.rst
	+++ b/taskcluster/docs/kinds.rst
	@@ -234,16 +234,20 @@ Submits bouncer updates for releases.
	release-mark-as-shipped
	-----------------------
	Marks releases as shipped in Ship-It.

	release-bouncer-aliases
	------------------------------
	Update Bouncers (download.mozilla.org) "latest" aliases.

	+release-update-verify
	+---------------------
	+todo
	+
	release-uptake-monitoring
	-------------------------
	Run uptake monitoring for releases.

	release-version-bump
	--------------------
	Bumps to the next version.

	diff --git a/taskcluster/taskgraph/target_tasks.py b/taskcluster/taskgraph/target_tasks.py
	--- a/taskcluster/taskgraph/target_tasks.py
	+++ b/taskcluster/taskgraph/target_tasks.py
	@@ -311,16 +311,17 @@ def target_tasks_mozilla_beta_desktop_pr

	beta_tasks = [l for l, t in full_task_graph.tasks.iteritems() if
	filter_beta_release_tasks(t, parameters,
	ignore_kinds=[],
	allow_l10n=True)]
	allow_kinds = [
	'build', 'build-signing', 'repackage', 'repackage-signing',
	'nightly-l10n', 'nightly-l10n-signing', 'repackage-l10n',
	+ 'release-update-verify'
	]

	I don't think this will do anything, since release-update-verify has run-on-projects set to []. That's why we have the additional block to explicitly add certain kinds below.

	def filter(task):
	platform = task.attributes.get('build_platform')

	# Android has its own promotion.
	if platform and 'android' in platform:
	return False
	@@ -329,16 +330,18 @@ def target_tasks_mozilla_beta_desktop_pr
	return False

	# Allow for beta_tasks; these will get optimized out to point to
	# the previous graph using ``previous_graph_ids`` and
	# ``previous_graph_kinds``.
	if task.label in beta_tasks:
	return True

	+ if task.kind in ('release-update-verify',):
	+ return True

	This looks good, except we will likely have devedition release-update-verify at some point, and we don't want devedition update-verify to run during firefox graphs or vice versa. Let's filter by product as well... examples are in the fennec target_tasks_methods.

	# TODO: partner repacks
	# TODO: source task
	# TODO: funsize, all but balrog submission
	# TODO: bbb update verify
	# TODO: tc update verify
	# TODO: beetmover push-to-candidates
	# TODO: binary transparency
	# TODO: bouncer sub