Make gatekeeper recipe hermetic for LUCI

This CL makes a number of changes to the gatekeeper recipe
and recipe module to make it deployable on LUCI:
* It copies the JSON configuration files to be recipe resources
  so that they don't have to be tagged for bundling using
* It copies the helper libraries (build_scan, auth) into the
  recipe resources so that they can be self-contained.
* It adds a vpython environment file so that the gatekeeper_ng
  script can be run in a hermetic environment.
* It updates the python scripts to use LUCI's ambient auth
  credentials, so it doesn't rely (as much) on statically
  deployed credential files.
* It modifies the recipe to call the new hermetic version of
  gatekeeper_ng, and read the new config files.

This CL will be accompanied by an internal CL which makes
corresponding changes to the gatekeeper_internal recipe. It
will be followed by a CL which deletes the old versions of
the gatekeeper scripts and configs.

Bug: 853854
Recipe-Nontrivial-Roll: build_limited_scripts_slave
Change-Id: I0b6cfdaa98800bc239ff38a7a9eec689e5f80bf4
Commit-Queue: Aaron Gable <>
Reviewed-by: Sean McCullough <>
Reviewed-by: Robbie Iannucci <>
27 files changed
tree: 6434e2d74e40ade99a8b5b2437a35f310b4e09a0
  1. .gitattributes
  2. .gitignore
  3. .vpython
  4. DEPS
  10. codereview.settings
  12. infra/
  13. masters/
  14. scripts/
  15. site_config/
  16. slave/
  17. tests/
  18. third_party/


Hi build contributor! If you do any change in scripts/master/ or touching any master's html/ directories, you must restart first and ensure that it still works before restarting other masters.


If you're here to make a change to ‘recipes’ (the code located in scripts/slave/recipes*), please take a look at the README for more information pertaining to recipes.