Restrict invocation creation on public realm to tryjob access group

I.e. project-chromium-tryjob-access R=estaab,vadimsh Change-Id: I6c5fa75eac552408641b14db89ca49fd7257ffa2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353690 Auto-Submit: Roberto Carrillo <robertocn@chromium.org> Reviewed-by: Erik Staab <estaab@chromium.org> Commit-Queue: Erik Staab <estaab@chromium.org> Cr-Commit-Position: refs/heads/master@{#797522}

Restrict invocation creation on public realm to tryjob access group
I.e. project-chromium-tryjob-access R=estaab,vadimsh Change-Id: I6c5fa75eac552408641b14db89ca49fd7257ffa2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353690 Auto-Submit: Roberto Carrillo <robertocn@chromium.org> Reviewed-by: Erik Staab <estaab@chromium.org> Commit-Queue: Erik Staab <estaab@chromium.org> Cr-Commit-Position: refs/heads/master@{#797522}
9b80c3e4 · Roberto Carrillo · Commit Bot · dd4df755 · 9b80c3e4 · 9b80c3e4
Commit 9b80c3e4 authored Aug 13, 2020 by Roberto Carrillo Committed by Commit Bot Aug 13, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

infra/config/generated/realms.cfg infra/config/generated/realms.cfg +1 -1

infra/config/main.star infra/config/main.star +1 -1

No files found.
--- a/infra/config/generated/realms.cfg
+++ b/infra/config/generated/realms.cfg
@@ -152,7 +152,7 @@ realms {
  }
  bindings {
    role: "role/resultdb.invocationCreator"
-    principals: "group:all"
+    principals: "group:project-chromium-tryjob-access"
  }
 }
 realms {

--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -110,7 +110,7 @@ luci.realm(
        ),
        luci.binding(
            roles = "role/resultdb.invocationCreator",
-            groups = "all",
+            groups = "project-chromium-tryjob-access",
        ),
        # Other roles are inherited from @root which grants them to group:all.
    ],