Allow use of led via http://go/ciba

Users who have the "Chrome Build Access" in go/ciba can now use the `led` CLI on libyuv bots. No-Try because the mac-asan bot is busted. I will use this to test the CL below ahead of submission. https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7043382 No-Try: True Change-Id: I33b488406f342fac4ff33d02e2c70cef2e50233c Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7046060 Reviewed-by: Wan-Teh Chang <wtc@google.com> Commit-Queue: Victor Vianna <victorvianna@google.com> Reviewed-by: Mirko Bonadei <mbonadei@chromium.org>
2025-12-06 08:46:47 +08:00 · 2025-10-15 17:46:28 +01:00 · 2025-10-15 17:46:28 +01:00 · 110e00ea96
commit 110e00ea96
parent 613393324f
3 changed files with 90 additions and 0 deletions
--- a/infra/config/cr-buildbucket.cfg
+++ b/infra/config/cr-buildbucket.cfg
@ -599,10 +599,25 @@ buckets {
      service_account: "libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
    }
  }
+  shadow: "ci.shadow"
  constraints {
    pools: "luci.flex.ci"
  }
 }
+buckets {
+  name: "ci.shadow"
+  acls {
+    role: WRITER
+    group: "project-libyuv-admins"
+  }
+  acls {
+    group: "all"
+  }
+  constraints {
+    pools: "luci.flex.ci"
+  }
+  dynamic_builder_template {}
+}
 buckets {
  name: "cron"
  acls {
@ -1141,8 +1156,23 @@ buckets {
      service_account: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
    }
  }
+  shadow: "try.shadow"
  constraints {
    pools: "luci.flex.try"
    service_accounts: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
  }
 }
+buckets {
+  name: "try.shadow"
+  acls {
+    role: WRITER
+    group: "project-libyuv-admins"
+  }
+  acls {
+    group: "all"
+  }
+  constraints {
+    pools: "luci.flex.try"
+  }
+  dynamic_builder_template {}
+}
--- a/infra/config/main.star
+++ b/infra/config/main.star
@ -172,6 +172,26 @@ luci.bucket(
        pools = ["luci.flex.ci"],
    ),
 )
+luci.bucket(
+    name = "ci.shadow",
+    shadows = "ci",
+    constraints = luci.bucket_constraints(
+        pools = ["luci.flex.ci"],
+    ),
+    bindings = [
+        # For led permissions.
+        luci.binding(
+            roles = "role/buildbucket.creator",
+            groups = [
+                "chromium-led-users",
+                "mdb/chrome-build-access-sphinx",
+                "mdb/chrome-troopers",
+                "mdb/foundry-x-team",
+            ],
+        ),
+    ],
+    dynamic = True,
+)
 luci.bucket(
    name = "try",
    acls = [
@ -187,6 +207,26 @@ luci.bucket(
        ],
    ),
 )
+luci.bucket(
+    name = "try.shadow",
+    shadows = "try",
+    constraints = luci.bucket_constraints(
+        pools = ["luci.flex.try"],
+    ),
+    bindings = [
+        # For led permissions.
+        luci.binding(
+            roles = "role/buildbucket.creator",
+            groups = [
+                "chromium-led-users",
+                "mdb/chrome-build-access-sphinx",
+                "mdb/chrome-troopers",
+                "mdb/foundry-x-team",
+            ],
+        ),
+    ],
+    dynamic = True,
+)
 luci.bucket(
    name = "cron",
 )
--- a/infra/config/realms.cfg
+++ b/infra/config/realms.cfg
@ -62,6 +62,16 @@ realms {
    }
  }
 }
+realms {
+  name: "ci.shadow"
+  bindings {
+    role: "role/buildbucket.creator"
+    principals: "group:chromium-led-users"
+    principals: "group:mdb/chrome-build-access-sphinx"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:mdb/foundry-x-team"
+  }
+}
 realms {
  name: "cron"
  bindings {
@ -81,3 +91,13 @@ realms {
    principals: "group:service-account-cq"
  }
 }
+realms {
+  name: "try.shadow"
+  bindings {
+    role: "role/buildbucket.creator"
+    principals: "group:chromium-led-users"
+    principals: "group:mdb/chrome-build-access-sphinx"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:mdb/foundry-x-team"
+  }
+}