infra: Add shadow buckets to trigger led job This follows http://go/luci-how-to-led#new-trigger-a-real-buildbucket-build-using-led I'll use led to test recipe change. Bug: 433861937 Change-Id: Iab6cf9743cfcbab7503d9f0a98b0fe9f0271283c Reviewed-on: https://gn-review.googlesource.com/c/gn/+/19460 Reviewed-by: Sylvain Defresne <sdefresne@chromium.org> Commit-Queue: Takuto Ikuta <tikuta@google.com>
diff --git a/infra/config/generated/cr-buildbucket.cfg b/infra/config/generated/cr-buildbucket.cfg index 01ab643..51c0ff6 100644 --- a/infra/config/generated/cr-buildbucket.cfg +++ b/infra/config/generated/cr-buildbucket.cfg
@@ -73,6 +73,18 @@ } } } + shadow: "ci.shadow" +} +buckets { + name: "ci.shadow" + acls { + group: "all" + } + constraints { + pools: "luci.flex.ci" + service_accounts: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + } + dynamic_builder_template {} } buckets { name: "try" @@ -151,4 +163,16 @@ } } } + shadow: "try.shadow" +} +buckets { + name: "try.shadow" + acls { + group: "all" + } + constraints { + pools: "luci.flex.try" + service_accounts: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + } + dynamic_builder_template {} }
diff --git a/infra/config/generated/project.cfg b/infra/config/generated/project.cfg index 0462da7..bb145a6 100644 --- a/infra/config/generated/project.cfg +++ b/infra/config/generated/project.cfg
@@ -7,7 +7,7 @@ name: "gn" access: "group:all" lucicfg { - version: "1.45.3" + version: "1.45.6" package_dir: ".." config_dir: "generated" entry_point: "main.star"
diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg index e9445b7..b75c130 100644 --- a/infra/config/generated/realms.cfg +++ b/infra/config/generated/realms.cfg
@@ -39,6 +39,17 @@ } } realms { + name: "ci.shadow" + bindings { + role: "role/buildbucket.builderServiceAccount" + principals: "user:gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + } + bindings { + role: "role/buildbucket.creator" + principals: "group:project-gn-committers" + } +} +realms { name: "try" bindings { role: "role/buildbucket.builderServiceAccount" @@ -54,3 +65,14 @@ principals: "group:flex-try-led-users" } } +realms { + name: "try.shadow" + bindings { + role: "role/buildbucket.builderServiceAccount" + principals: "user:gn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + } + bindings { + role: "role/buildbucket.creator" + principals: "group:project-gn-committers" + } +}
diff --git a/infra/config/main.star b/infra/config/main.star index e988e49..0fb49df 100755 --- a/infra/config/main.star +++ b/infra/config/main.star
@@ -89,6 +89,28 @@ ), ]) +# Shadow bucket for led. +luci.bucket( + name = "ci.shadow", + shadows = "ci", + constraints = luci.bucket_constraints( + pools = ["luci.flex.ci"], + service_accounts = [ + "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com", + ], + ), + bindings = [ + # for led permissions. + luci.binding( + roles = "role/buildbucket.creator", + groups = [ + "project-gn-committers", + ], + ), + ], + dynamic = True, +) + def ci_builder(name, os, caches = None): builder(name, "ci", os, caches, triggered_by = ["gn-trigger"]) luci.console_view_entry( @@ -139,6 +161,28 @@ ), ]) +# Shadow bucket for led. +luci.bucket( + name = "try.shadow", + shadows = "try", + constraints = luci.bucket_constraints( + pools = ["luci.flex.try"], + service_accounts = [ + "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com", + ], + ), + bindings = [ + # for led permissions. + luci.binding( + roles = "role/buildbucket.creator", + groups = [ + "project-gn-committers", + ], + ), + ], + dynamic = True, +) + luci.binding( realm = "try", roles = "role/swarming.taskTriggerer",