1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
# Copyright 2020 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Permissions for Chromium main swarming pools (CI, try, tests).
They are actually shared with a bunch other projects.
"""
load("//lib/swarming.star", "swarming")
load("//project.star", "ACTIVE_MILESTONES")
# Set up permissions that apply to all Chromium pools.
swarming.root_permissions()
# Task accounts for isolated tests.
#
# For simplicity of configuration we allow *any* task in the project (in any
# realm) to run as any of these accounts. This is fine since all CI and Try
# builders trigger isolated tasks in an identical way, using identical accounts
# for isolated tests anyway.
#
# Note that this is declared on all branches, since task accounts "live" in a
# project they are defined in, so we need to declare them for per-milestone
# projects as well.
swarming.task_accounts(
realm = "@root", # i.e. inherit by all realms
groups = [
"project-chromium-test-task-accounts",
],
users = [
# TODO(crbug.com/793982): Migrate uses of this account to a dedicated
# public test task account that's part of the group above, then delete
# this.
"ios-isolated-tester@chops-service-accounts.iam.gserviceaccount.com",
],
)
# LED users that can trigger tasks in *any* realm in *any* pool.
#
# This should be used relatively sparingly. Prefer to configure the permissions
# more precisely. E.g. see "chromium-led-users" below.
swarming.task_triggerers(
builder_realm = "@root",
pool_realm = "@root",
groups = [
"mdb/chrome-browser-infra",
],
)
# Realm with bots that run CI builds (aka main waterfall bots).
#
# The tasks here are triggered via Buildbucket (which authenticates as
# "project:<project that defines the bucket>"), so we enumerate projects
# (besides "project:chromium" itself) that are allowed to use Chromium CI pools
# in their Buildbucket configs (which are currently only per-milestone Chromium
# projects).
swarming.pool_realm(
name = "pools/ci",
projects = [details.project for details in ACTIVE_MILESTONES.values()],
)
swarming.task_triggerers(
builder_realm = "ci",
pool_realm = "pools/ci",
groups = [
"mdb/chrome-build-access-sphinx",
],
users = [
"chromium-ci-builder@chops-service-accounts.iam.gserviceaccount.com",
# Used by Findit to re-run swarming tasks for bisection purposes.
"findit-for-me@appspot.gserviceaccount.com",
],
)
# Realm with bots that run try builds.
#
# The tasks here are also triggered via Buildbucket. See comment above.
swarming.pool_realm(
name = "pools/try",
projects = [details.project for details in ACTIVE_MILESTONES.values()],
)
# LED users that can trigger try builds via LED.
swarming.task_triggerers(
builder_realm = "try",
pool_realm = "pools/try",
groups = [
"mdb/chrome-build-access-sphinx",
# Prefer the above sphinx group for led access. But if folks outside
# Chrome need access, can add them to chromium-led-users.
"chromium-led-users",
],
users = [
# Build Recipes Tester launches orchestrator led builds which needs to
# trigger compilator led builds
"chromium-orchestrator@chops-service-accounts.iam.gserviceaccount.com",
# An account used by "Build Recipes Tester" builder infra/try bucket
# used to tests changes to Chromium recipes using LED before commit.
"infra-try-recipes-tester@chops-service-accounts.iam.gserviceaccount.com",
],
)
# Realm with bots that run isolated tests.
#
# Tasks here are triggered directly on Swarming (not via Buildbucket) by various
# CI and Try builder (not only Chromium ones!) and also directly by users.
swarming.pool_realm(
name = "pools/tests",
groups = [
# Various Chromium CI and Try LUCI builders that trigger isolated tests.
"project-chromium-ci-task-accounts",
"project-chromium-findit-task-accounts",
"project-chromium-try-task-accounts",
# DevTools uses Chrome pools for Layout tests.
"project-devtools-frontend-ci-task-accounts",
"project-devtools-frontend-try-task-accounts",
# V8 are reusing Chrome pools for isolated tests too.
"project-v8-ci-task-accounts",
"project-v8-try-task-accounts",
# ... and WebRTC.
"project-webrtc-ci-task-accounts",
"project-webrtc-try-task-accounts",
# ... and Angle.
"project-angle-ci-task-accounts",
"project-angle-try-task-accounts",
# Used by Pinpoint to trigger bisect jobs on machines in the Chrome-GPU pool.
"service-account-chromeperf",
],
users = [
# Skia uses this pool directly.
"skia-external-ct-skps@skia-swarming-bots.iam.gserviceaccount.com",
# TODO(borenet): Remove the below after we're fully switched to Kitchen.
"chromium-swarm-bots@skia-swarming-bots.iam.gserviceaccount.com",
],
)
# Anyone with Chromium tryjob access can use isolate testers pool directly.
#
# We assume isolated tests triggered from workstation go to the "try" realm,
# just like tasks triggered by try jobs.
swarming.task_triggerers(
builder_realm = "try",
pool_realm = "pools/tests",
groups = ["project-chromium-tryjob-access"],
)
# A separate realm for mac-arm64 bots, since they have different permissions.
swarming.pool_realm(
name = "pools/tests-mac-arm64",
groups = [
# Allow CI builders (mac*-arm64-rel-tests) to trigger tests.
"project-chromium-ci-task-accounts",
# V8 *CI* is using these Macs, too.
"project-v8-ci-task-accounts",
],
)
# Users that can trigger mac-arm64 tasks.
swarming.task_triggerers(
builder_realm = "try",
pool_realm = "pools/tests-mac-arm64",
groups = [
# Allowlist of people working on the mac-arm64 project. Contact
# srinivassista@ for access.
"project-chromium-mac-arm64-tests-access",
],
)
|
