commit ed5c03b0b9a278fcf02cbec437dce4b5f29fbfc9
author Vadim Shtayura <vadimsh@google.com> Fri Nov 12 14:36:06 2021 +0000
committer Marc-Antoine Ruel <maruel@google.com> Fri Nov 12 14:36:06 2021 +0000
tree c915395e0e1ed31b96fb0cd683517055d2ba949f
parent c3a62a9469129445e4b377946d170a7b4553bc49

Declare "role/configs.validator" binding.

It defines who is allowed to call LUCI Config validation API to
validate this LUCI project's configs. This is usually done by
presubmit jobs, and thus configs.validator role is assigned to
try job task accounts.

Previously this ACL was defined in the global "config-validation"
group. It is deprecated and being replaced with per-project ACLs
defined in per-project configs (like in this CL).

There's still a global ACL to allow any googler to call
the validation API in any LUCI project they are allowed to see.
Thus the per-project binding applies only to service accounts
(they are not googlers).

Note: this CL was generated semi-automatically and reviewers are
picked automatically based on OWNERS file.

BUG=chromium:1068817
R=kjharland@google.com, maruel@google.com

Change-Id: Ibb5ece819f2d443c1d0521bcb8943559fa6f95d1
Reviewed-on: https://fuchsia-review.googlesource.com/c/infra/config/+/605576
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>

main.star

diff --git a/main.star b/main.star
index 3ca57f3..de85c7a 100755
--- a/main.star
+++ b/main.star
@@ -57,6 +57,12 @@
             ),
             acl.entry(roles = [acl.PROJECT_CONFIGS_READER], groups = ["all"]),
         ],
+        bindings = [
+            luci.binding(
+                roles = "role/configs.validator",
+                groups = ["project-fuchsia-config-validation"],
+            ),
+        ],
     )
 
     luci.cq_group(

repositories/cobalt/project.cfg

diff --git a/repositories/cobalt/project.cfg b/repositories/cobalt/project.cfg
index cece6fa..922224d 100644
--- a/repositories/cobalt/project.cfg
+++ b/repositories/cobalt/project.cfg
@@ -7,7 +7,7 @@
 name: "fuchsia-cobalt"
 access: "group:all"
 lucicfg {
-  version: "1.29.1"
+  version: "1.30.1"
   package_dir: "../.."
   config_dir: "repositories/cobalt"
   entry_point: "main.star"

repositories/cobalt/realms.cfg

diff --git a/repositories/cobalt/realms.cfg b/repositories/cobalt/realms.cfg
index f652aaf..ef713fa 100644
--- a/repositories/cobalt/realms.cfg
+++ b/repositories/cobalt/realms.cfg
@@ -11,6 +11,10 @@
     principals: "group:all"
   }
   bindings {
+    role: "role/configs.validator"
+    principals: "group:project-fuchsia-config-validation"
+  }
+  bindings {
     role: "role/cq.committer"
     principals: "group:project-fuchsia-committers"
   }

repositories/fuchsia/project.cfg

diff --git a/repositories/fuchsia/project.cfg b/repositories/fuchsia/project.cfg
index dfa102a..ae3d2ae 100644
--- a/repositories/fuchsia/project.cfg
+++ b/repositories/fuchsia/project.cfg
@@ -7,7 +7,7 @@
 name: "fuchsia-fuchsia"
 access: "group:all"
 lucicfg {
-  version: "1.29.1"
+  version: "1.30.1"
   package_dir: "../.."
   config_dir: "repositories/fuchsia"
   entry_point: "main.star"

repositories/fuchsia/realms.cfg

diff --git a/repositories/fuchsia/realms.cfg b/repositories/fuchsia/realms.cfg
index f652aaf..ef713fa 100644
--- a/repositories/fuchsia/realms.cfg
+++ b/repositories/fuchsia/realms.cfg
@@ -11,6 +11,10 @@
     principals: "group:all"
   }
   bindings {
+    role: "role/configs.validator"
+    principals: "group:project-fuchsia-config-validation"
+  }
+  bindings {
     role: "role/cq.committer"
     principals: "group:project-fuchsia-committers"
   }

repositories/infra/recipes/project.cfg

diff --git a/repositories/infra/recipes/project.cfg b/repositories/infra/recipes/project.cfg
index 0bde876..e584b4e 100644
--- a/repositories/infra/recipes/project.cfg
+++ b/repositories/infra/recipes/project.cfg
@@ -7,7 +7,7 @@
 name: "fuchsia-infra-recipes"
 access: "group:all"
 lucicfg {
-  version: "1.29.1"
+  version: "1.30.1"
   package_dir: "../../.."
   config_dir: "repositories/infra/recipes"
   entry_point: "main.star"

repositories/infra/recipes/realms.cfg

diff --git a/repositories/infra/recipes/realms.cfg b/repositories/infra/recipes/realms.cfg
index f652aaf..ef713fa 100644
--- a/repositories/infra/recipes/realms.cfg
+++ b/repositories/infra/recipes/realms.cfg
@@ -11,6 +11,10 @@
     principals: "group:all"
   }
   bindings {
+    role: "role/configs.validator"
+    principals: "group:project-fuchsia-config-validation"
+  }
+  bindings {
     role: "role/cq.committer"
     principals: "group:project-fuchsia-committers"
   }

repositories/tools/project.cfg

diff --git a/repositories/tools/project.cfg b/repositories/tools/project.cfg
index 4d53b4a..181504c 100644
--- a/repositories/tools/project.cfg
+++ b/repositories/tools/project.cfg
@@ -7,7 +7,7 @@
 name: "fuchsia-tools"
 access: "group:all"
 lucicfg {
-  version: "1.29.1"
+  version: "1.30.1"
   package_dir: "../.."
   config_dir: "repositories/tools"
   entry_point: "main.star"

repositories/tools/realms.cfg

diff --git a/repositories/tools/realms.cfg b/repositories/tools/realms.cfg
index f652aaf..ef713fa 100644
--- a/repositories/tools/realms.cfg
+++ b/repositories/tools/realms.cfg
@@ -11,6 +11,10 @@
     principals: "group:all"
   }
   bindings {
+    role: "role/configs.validator"
+    principals: "group:project-fuchsia-config-validation"
+  }
+  bindings {
     role: "role/cq.committer"
     principals: "group:project-fuchsia-committers"
   }