build(deps): bump taskcluster from 99.2.0 to 100.0.1 in /tools

[dependabot]

Bumps taskcluster from 99.2.0 to 100.0.1.

Release notes

Sourced from taskcluster's releases.

v100.0.1

WORKER-DEPLOYERS

▶ [patch] #7388 Generic Worker (FreeBSD): taskcluster-proxy now cross-compiles for freebsd/amd64 and freebsd/arm64 again. The new connection-verification feature (--allowed-user / --allowed-network) only has darwin, linux, and windows implementations; on FreeBSD the proxy refuses to start if either flag is set. FreeBSD support for taskcluster-proxy is experimental.

This release also contains the changes for v100, which had a broken release. Here's v100's changelog:

v100.0.0

GENERAL

▶ [MAJOR] #8437 Removed docker-worker from the monorepo. Docker-worker has been decommissioned across Taskcluster deployments and is no longer released. The d2g translation layer remains, so generic-worker continues to accept the legacy docker-worker payload format on Linux and the docker-worker:* scope namespace is unchanged. Existing tasks using the docker-worker payload format continue to run unchanged on generic-worker.

Notes for deployers:

• The docker-worker worker-runner implementation has been removed; deployments must run generic-worker (or a third-party worker that uses the Queue's worker protocol). worker-runner's --help no longer lists docker-worker.
• The docker-worker entry has been removed from the task-creator UI's TASK_PAYLOAD_SCHEMAS map. Deployments that set SITE_SPECIFIC.tutorial_worker_schema to docker-worker should change it to a generic-worker schema key (e.g. generic-multi-posix on Linux, generic-multi-win on Windows). Deployments that did not set this variable now default to generic-multi-posix instead of docker-worker.
• The workers/docker-worker/ source tree is gone; deployments that built the docker-worker image themselves from this monorepo must source it from a docker-worker fork instead.
• The docker-worker payload schema has moved from workers/docker-worker/schemas/v1/payload.yml to tools/d2g/schemas/docker-worker/v1/payload.yml. The published service-schema URL (schemas/docker-worker/v1/payload.json) is unchanged, so consumers fetching the schema from a running deployment are unaffected.

DEPLOYERS

▶ [patch] #8569 Fix Azure worker registration in regions whose Azure IMDS attested-data leaf certificates have rotated to the new Microsoft TLS RSA Root G2 hierarchy (uksouth as of 2026-04-29; other regions follow as their leaves renew). The G2 root is bundled in worker-manager's azure CA store, so addIntermediateCert succeeds for the dynamically fetched Microsoft TLS G2 RSA CA OCSP NN intermediates and registerWorker returns 200 again.

WORKER-DEPLOYERS

▶ [minor] #7388 Generic Worker now supports running multiple tasks concurrently via the new capacity configuration option.

Configuration:

• capacity (uint8, default: 1, max: 255) - the number of tasks the worker will claim and execute in parallel.
• When capacity is 1, behavior is unchanged from previous releases.
• When capacity > 1, each task slot is allocated a block of 4 ports offset from the configured base ports (livelogPortBase, interactivePort, taskclusterProxyPort). Deployers must ensure these base ports are spaced far enough apart to avoid overlapping ranges. The worker validates this at startup and exits with an error if ranges collide.

Engine support:

• Insecure engine: supported.
• Multiuser engine: supported only when headlessTasks is enabled. Non-headless multiuser mode (which reboots between tasks) is restricted to capacity = 1.

Task isolation:

• Each concurrent task receives its own task directory under tasksDir, its own set of dynamically allocated ports for LiveLog, Interactive, and TaskclusterProxy, and (in multiuser mode) its own OS user.
• Caches and mounts are protected by per-cache read/write locks so that multiple tasks can read from the same cache concurrently while writes are serialized.
• Docker image loading (D2G) uses file-level locking so parallel tasks sharing the same image coordinate without redundant loads.
• In multiuser mode, TaskclusterProxy now verifies that incoming connections originate from the OS user running the task, preventing one task from accessing another task's credentials. This is implemented via /proc/net/tcp on Linux, lsof on macOS, and GetExtendedTcpTable on Windows. Note: in insecure mode, all tasks run as the same OS user, so UID-based connection verification is not possible; insecure mode with capacity > 1 does not provide credential isolation between concurrent tasks.

... (truncated)

Changelog

Sourced from taskcluster's changelog.

v100.0.1

WORKER-DEPLOYERS

▶ [patch] #7388 Generic Worker (FreeBSD): taskcluster-proxy now cross-compiles for freebsd/amd64 and freebsd/arm64 again. The new connection-verification feature (--allowed-user / --allowed-network) only has darwin, linux, and windows implementations; on FreeBSD the proxy refuses to start if either flag is set. FreeBSD support for taskcluster-proxy is experimental.

v100.0.0

GENERAL

▶ [MAJOR] #8437 Removed docker-worker from the monorepo. Docker-worker has been decommissioned across Taskcluster deployments and is no longer released. The d2g translation layer remains, so generic-worker continues to accept the legacy docker-worker payload format on Linux and the docker-worker:* scope namespace is unchanged. Existing tasks using the docker-worker payload format continue to run unchanged on generic-worker.

Notes for deployers:

• The docker-worker worker-runner implementation has been removed; deployments must run generic-worker (or a third-party worker that uses the Queue's worker protocol). worker-runner's --help no longer lists docker-worker.
• The docker-worker entry has been removed from the task-creator UI's TASK_PAYLOAD_SCHEMAS map. Deployments that set SITE_SPECIFIC.tutorial_worker_schema to docker-worker should change it to a generic-worker schema key (e.g. generic-multi-posix on Linux, generic-multi-win on Windows). Deployments that did not set this variable now default to generic-multi-posix instead of docker-worker.
• The workers/docker-worker/ source tree is gone; deployments that built the docker-worker image themselves from this monorepo must source it from a docker-worker fork instead.
• The docker-worker payload schema has moved from workers/docker-worker/schemas/v1/payload.yml to tools/d2g/schemas/docker-worker/v1/payload.yml. The published service-schema URL (schemas/docker-worker/v1/payload.json) is unchanged, so consumers fetching the schema from a running deployment are unaffected.

DEPLOYERS

▶ [patch] #8569 Fix Azure worker registration in regions whose Azure IMDS attested-data leaf certificates have rotated to the new Microsoft TLS RSA Root G2 hierarchy (uksouth as of 2026-04-29; other regions follow as their leaves renew). The G2 root is bundled in worker-manager's azure CA store, so addIntermediateCert succeeds for the dynamically fetched Microsoft TLS G2 RSA CA OCSP NN intermediates and registerWorker returns 200 again.

WORKER-DEPLOYERS

▶ [minor] #7388 Generic Worker now supports running multiple tasks concurrently via the new capacity configuration option.

Configuration:

• capacity (uint8, default: 1, max: 255) - the number of tasks the worker will claim and execute in parallel.
• When capacity is 1, behavior is unchanged from previous releases.
• When capacity > 1, each task slot is allocated a block of 4 ports offset from the configured base ports (livelogPortBase, interactivePort, taskclusterProxyPort). Deployers must ensure these base ports are spaced far enough apart to avoid overlapping ranges. The worker validates this at startup and exits with an error if ranges collide.

Engine support:

• Insecure engine: supported.
• Multiuser engine: supported only when headlessTasks is enabled. Non-headless multiuser mode (which reboots between tasks) is restricted to capacity = 1.

Task isolation:

• Each concurrent task receives its own task directory under tasksDir, its own set of dynamically allocated ports for LiveLog, Interactive, and TaskclusterProxy, and (in multiuser mode) its own OS user.
• Caches and mounts are protected by per-cache read/write locks so that multiple tasks can read from the same cache concurrently while writes are serialized.
• Docker image loading (D2G) uses file-level locking so parallel tasks sharing the same image coordinate without redundant loads.
• In multiuser mode, TaskclusterProxy now verifies that incoming connections originate from the OS user running the task, preventing one task from accessing another task's credentials. This is implemented via /proc/net/tcp on Linux, lsof on macOS, and GetExtendedTcpTable on Windows. Note: in insecure mode, all tasks run as the same OS user, so UID-based connection verification is not possible; insecure mode with capacity > 1 does not provide credential isolation between concurrent tasks.

Constraints:

... (truncated)

Commits

• fcf9d8e v100.0.1
• 00b01fb Merge pull request #8585 from taskcluster/matt-boris/freeBsdTcProxyFix
• b453303 fix(tc-proxy): stub freebsd connection verifier (fixes release build)
• 835240c v100.0.0
• 8977b1f Merge pull request #8577 from Eijebong/fix-intermittent-interactive
• be6a7e5 Merge pull request #8583 from taskcluster/matt-boris/formatBytesFractionalTes...
• 8483b4d Merge pull request #8582 from taskcluster/dependabot/npm_and_yarn/axios-1.16.0
• 676a614 build(deps): bump axios from 1.15.0 to 1.16.0
• c2acd1b fix(tests): fix fractional digit test
• fcf9a4e Merge pull request #8581 from Eijebong/fun-fact-the-ipv6-rfc-is-28-years-old
• Additional commits viewable in compare view