[luci][realms] switch crashpad to LUCI security realms.
R=jperaza@chromium.org
Bug: chromium:1242890
Change-Id: Ic64f368bdb8b0efb74648ff2cc60836e3f0ad7e1
No-Try: True
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/3197578
Commit-Queue: Joshua Peraza <jperaza@chromium.org>
Reviewed-by: Joshua Peraza <jperaza@chromium.org>
GitOrigin-RevId: 4318922c9a4fb4636d19e36b8d2a2312216c7992
diff --git a/infra/config/generated/cr-buildbucket.cfg b/infra/config/generated/cr-buildbucket.cfg
index 9042dd9..6a0c463 100644
--- a/infra/config/generated/cr-buildbucket.cfg
+++ b/infra/config/generated/cr-buildbucket.cfg
@@ -38,6 +38,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_arm64_rel"
@@ -59,6 +63,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_x64_dbg"
@@ -79,6 +87,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_x64_rel"
@@ -99,6 +111,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_arm64_dbg"
@@ -123,6 +139,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_arm64_rel"
@@ -147,6 +167,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_x64_dbg"
@@ -170,6 +194,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_x64_rel"
@@ -193,6 +221,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_linux_x64_dbg"
@@ -213,6 +245,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_linux_x64_rel"
@@ -233,6 +269,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_mac_x64_dbg"
@@ -256,6 +296,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_mac_x64_rel"
@@ -279,6 +323,10 @@
}
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_win_x64_dbg"
@@ -299,6 +347,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_win_x64_rel"
@@ -319,6 +371,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
}
}
@@ -363,6 +419,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_arm64_rel"
@@ -383,6 +443,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_x64_dbg"
@@ -402,6 +466,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_fuchsia_x64_rel"
@@ -421,6 +489,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_arm64_dbg"
@@ -444,6 +516,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_arm64_rel"
@@ -467,6 +543,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_x64_dbg"
@@ -489,6 +569,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_ios_x64_rel"
@@ -511,6 +595,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_linux_x64_dbg"
@@ -530,6 +618,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_linux_x64_rel"
@@ -549,6 +641,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_mac_x64_dbg"
@@ -571,6 +667,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_mac_x64_rel"
@@ -593,6 +693,10 @@
}
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_win_x64_dbg"
@@ -612,6 +716,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "crashpad_win_x64_rel"
@@ -631,6 +739,10 @@
execution_timeout_secs: 10800
build_numbers: YES
service_account: "crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
}
}
diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg
new file mode 100644
index 0000000..4137730
--- /dev/null
+++ b/infra/config/generated/realms.cfg
@@ -0,0 +1,57 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+# https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+ name: "@root"
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/configs.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/scheduler.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "ci"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:crashpad-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.owner"
+ principals: "group:project-crashpad-admins"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "user:luci-scheduler@appspot.gserviceaccount.com"
+ }
+}
+realms {
+ name: "try"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:crashpad-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.owner"
+ principals: "group:project-crashpad-admins"
+ principals: "group:service-account-crashpad-cq"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "group:project-crashpad-tryjob-access"
+ principals: "group:service-account-cq"
+ }
+}
diff --git a/infra/config/main.star b/infra/config/main.star
old mode 100644
new mode 100755
index 280de79..fb8af22
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -13,6 +13,15 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+lucicfg.check_version("1.28.0", "Please update depot_tools")
+
+# Enable LUCI Realms support.
+lucicfg.enable_experiment("crbug.com/1085650")
+
+# Launch 100% of Swarming tasks for builds in "realms-aware mode".
+luci.builder.defaults.experiments.set({"luci.use_realms": 100})
+
+
luci.project(
name = "crashpad",
buildbucket = "cr-buildbucket.appspot.com",
