Declare "role/configs.validator" binding.

It defines who is allowed to call LUCI Config validation API to
validate this LUCI project's configs. This is usually done by
presubmit jobs, and thus configs.validator role is assigned to
try job task accounts.

Previously this ACL was defined in the global "config-validation"
group. It is deprecated and being replaced with per-project ACLs
defined in per-project configs (like in this CL).

There's still a global ACL to allow any googler to call
the validation API in any LUCI project they are allowed to see.
Thus the per-project binding applies only to service accounts
(they are not googlers).

Note: this CL was generated semi-automatically and reviewers are
picked automatically based on OWNERS file.

BUG=chromium:1068817
R=fbarchard@chromium.org

Change-Id: I26544e524cf5e900ab395ff5c440c10438723903
Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/3276689
Reviewed-by: Frank Barchard <fbarchard@chromium.org>
Commit-Queue: Vadim Shtayura <vadimsh@google.com>

main.star

@@ -64,6 +64,12 @@ luci.project(
         acl.entry(acl.BUILDBUCKET_READER, groups = ["all"]),
         acl.entry(acl.BUILDBUCKET_OWNER, groups = ["project-libyuv-admins"]),
     ],
+    bindings = [
+        luci.binding(
+            roles = "role/configs.validator",
+            users = "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com",
+        ),
+    ],
 )
 
 # Generates luci-logdog.cfg

realms.cfg

@@ -18,6 +18,10 @@ realms {
     role: "role/configs.reader"
     principals: "group:all"
   }
+  bindings {
+    role: "role/configs.validator"
+    principals: "user:libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
   bindings {
     role: "role/logdog.reader"
     principals: "group:all"