Attempt to fix `led` ACLs for testing recipe changes.
It looks like we need to grant some more permissions in order
to be able to run `led` and test recipe changes against our
builders.
Bug: 1260171
Change-Id: Iac7cc49fe8fa433e6bbc6e9fa5cd01e8eb8c78c0
Reviewed-on: https://chromium-review.googlesource.com/c/experimental/website/+/3238585
Reviewed-by: Vadim Shtayura <vadimsh@chromium.org>
Commit-Queue: Dirk Pranke <dpranke@google.com>
diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg
index 967d5ac..a5d8c19 100644
--- a/infra/config/generated/realms.cfg
+++ b/infra/config/generated/realms.cfg
@@ -37,6 +37,10 @@
role: "role/buildbucket.builderServiceAccount"
principals: "user:chromium-website-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
}
+ bindings {
+ role: "role/swarming.taskTriggerer"
+ principals: "group:flex-ci-led-users"
+ }
}
realms {
name: "try"
@@ -49,4 +53,8 @@
principals: "group:project-chromium-website-tryjob-access"
principals: "group:service-account-cq"
}
+ bindings {
+ role: "role/swarming.taskTriggerer"
+ principals: "group:flex-try-led-users"
+ }
}
diff --git a/infra/config/main.star b/infra/config/main.star
index a590715..b86b771 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -118,6 +118,11 @@
),
])
+luci.binding(
+ realm = "ci",
+ roles = "role/swarming.taskTriggerer",
+ groups = "flex-ci-led-users",
+)
luci.builder(
name = "chromium-website-ci-builder",
@@ -177,6 +182,11 @@
),
])
+luci.binding(
+ realm = "try",
+ roles = "role/swarming.taskTriggerer",
+ groups = "flex-try-led-users",
+)
luci.builder(
name = "chromium-website-try-builder",
