From 110e00ea9693e9feed3f6bb49cf7a9497440bca1 Mon Sep 17 00:00:00 2001 From: Victor Hugo Vianna Silva Date: Wed, 15 Oct 2025 17:46:28 +0100 Subject: [PATCH] Allow use of `led` via http://go/ciba Users who have the "Chrome Build Access" in go/ciba can now use the `led` CLI on libyuv bots. No-Try because the mac-asan bot is busted. I will use this to test the CL below ahead of submission. https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7043382 No-Try: True Change-Id: I33b488406f342fac4ff33d02e2c70cef2e50233c Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7046060 Reviewed-by: Wan-Teh Chang Commit-Queue: Victor Vianna Reviewed-by: Mirko Bonadei --- infra/config/cr-buildbucket.cfg | 30 +++++++++++++++++++++++++ infra/config/main.star | 40 +++++++++++++++++++++++++++++++++ infra/config/realms.cfg | 20 +++++++++++++++++ 3 files changed, 90 insertions(+) diff --git a/infra/config/cr-buildbucket.cfg b/infra/config/cr-buildbucket.cfg index 73a6d4929..3388f02fb 100644 --- a/infra/config/cr-buildbucket.cfg +++ b/infra/config/cr-buildbucket.cfg @@ -599,10 +599,25 @@ buckets { service_account: "libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com" } } + shadow: "ci.shadow" constraints { pools: "luci.flex.ci" } } +buckets { + name: "ci.shadow" + acls { + role: WRITER + group: "project-libyuv-admins" + } + acls { + group: "all" + } + constraints { + pools: "luci.flex.ci" + } + dynamic_builder_template {} +} buckets { name: "cron" acls { @@ -1141,8 +1156,23 @@ buckets { service_account: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com" } } + shadow: "try.shadow" constraints { pools: "luci.flex.try" service_accounts: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com" } } +buckets { + name: "try.shadow" + acls { + role: WRITER + group: "project-libyuv-admins" + } + acls { + group: "all" + } + constraints { + pools: "luci.flex.try" + } + dynamic_builder_template {} +} diff --git a/infra/config/main.star b/infra/config/main.star index 801cc8f35..32e2505e4 100755 --- a/infra/config/main.star +++ b/infra/config/main.star @@ -172,6 +172,26 @@ luci.bucket( pools = ["luci.flex.ci"], ), ) +luci.bucket( + name = "ci.shadow", + shadows = "ci", + constraints = luci.bucket_constraints( + pools = ["luci.flex.ci"], + ), + bindings = [ + # For led permissions. + luci.binding( + roles = "role/buildbucket.creator", + groups = [ + "chromium-led-users", + "mdb/chrome-build-access-sphinx", + "mdb/chrome-troopers", + "mdb/foundry-x-team", + ], + ), + ], + dynamic = True, +) luci.bucket( name = "try", acls = [ @@ -187,6 +207,26 @@ luci.bucket( ], ), ) +luci.bucket( + name = "try.shadow", + shadows = "try", + constraints = luci.bucket_constraints( + pools = ["luci.flex.try"], + ), + bindings = [ + # For led permissions. + luci.binding( + roles = "role/buildbucket.creator", + groups = [ + "chromium-led-users", + "mdb/chrome-build-access-sphinx", + "mdb/chrome-troopers", + "mdb/foundry-x-team", + ], + ), + ], + dynamic = True, +) luci.bucket( name = "cron", ) diff --git a/infra/config/realms.cfg b/infra/config/realms.cfg index e275bdd1a..ba9b20b89 100644 --- a/infra/config/realms.cfg +++ b/infra/config/realms.cfg @@ -62,6 +62,16 @@ realms { } } } +realms { + name: "ci.shadow" + bindings { + role: "role/buildbucket.creator" + principals: "group:chromium-led-users" + principals: "group:mdb/chrome-build-access-sphinx" + principals: "group:mdb/chrome-troopers" + principals: "group:mdb/foundry-x-team" + } +} realms { name: "cron" bindings { @@ -81,3 +91,13 @@ realms { principals: "group:service-account-cq" } } +realms { + name: "try.shadow" + bindings { + role: "role/buildbucket.creator" + principals: "group:chromium-led-users" + principals: "group:mdb/chrome-build-access-sphinx" + principals: "group:mdb/chrome-troopers" + principals: "group:mdb/foundry-x-team" + } +}