infra: Give gardeners and chrome-gpu team ACL to pause CI schedulers

This gives the GPU team that owns some builders in chromium.ci the ACLs
needed to pause their schedulers. (Or at least, this _attempts_ to do
that. It's not 100% clear what ACL grants that ability.)

This also give gardeners the same ability, since it seems like that
might be useful.

Bug: None
Change-Id: Ic4aebd85ffca84c86a3c097dd476dce38542b567
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4632923
Reviewed-by: Erik Staab <estaab@chromium.org>
Reviewed-by: Garrett Beaty <gbeaty@google.com>
Commit-Queue: Ben Pastene <bpastene@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1160752}

This commit is contained in:

Ben Pastene

2023-06-21 18:17:44 +00:00

committed by

Chromium LUCI CQ

parent f418242f06

commit d126167aa1

2 changed files with 16 additions and 1 deletions

infra/config

generated

luci

realms.cfg

subprojects

chromium

ci.star

									
										6

infra/config/generated/luci/realms.cfg
									
				@ -93,6 +93,7 @@ realms {

				  bindings {

				    role: "role/buildbucket.triggerer"

				    principals: "group:mdb/chrome-active-sheriffs"

				    principals: "group:mdb/chrome-gpu"

				    principals: "group:project-chromium-ci-schedulers"

				    principals: "user:chrome-official-brancher@chops-service-accounts.iam.gserviceaccount.com"

				  }

				@ -100,6 +101,11 @@ realms {

				    role: "role/resultdb.invocationCreator"

				    principals: "group:project-chromium-ci-task-accounts"

				  }

				  bindings {

				    role: "role/scheduler.owner"

				    principals: "group:mdb/chrome-active-sheriffs"

				    principals: "group:mdb/chrome-gpu"

				  }

				  bindings {

				    role: "role/scheduler.triggerer"

				    principals: "group:project-chromium-scheduler-triggerers"

11

infra/config/subprojects/chromium/ci.star

 @ -28,10 +28,11 @@ luci.bucket(
             roles = acl.BUILDBUCKET_TRIGGERER,
             groups = [
                 "project-chromium-ci-schedulers",
                 # Allow currently-oncall sheriffs to cancel builds. Useful when
                 # Allow currently-oncall gardeners to cancel builds. Useful when
                 # a tree-closer is behind and hasn't picked up a needed revert
                 # or fix yet.
                 "mdb/chrome-active-sheriffs",
                 "mdb/chrome-gpu",
             ],
             users = [
                 # Allow chrome-release/branch builders on luci.chrome.official.infra
 @ -47,6 +48,14 @@ luci.bucket(
             roles = acl.SCHEDULER_TRIGGERER,
             groups = "project-chromium-scheduler-triggerers",
         ),
         acl.entry(
             roles = acl.SCHEDULER_OWNER,
             groups = [
                 # Allow currently-oncall gardeners to pause schedulers.
                 "mdb/chrome-active-sheriffs",
                 "mdb/chrome-gpu",
             ],
         ),
     ],
 )

infra: Give gardeners and chrome-gpu team ACL to pause CI schedulers

6 infra/config/generated/luci/realms.cfg

11 infra/config/subprojects/chromium/ci.star

6

infra/config/generated/luci/realms.cfg

11

infra/config/subprojects/chromium/ci.star