blob: e628bff530e4ae10bb8b1cdb7fee994c013455a2 [file] [log] [blame]
#!/usr/bin/env lucicfg
# Copyright 2019 The Flutter Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""
LUCI project configuration for the production instance of LUCI.
After modifying this file execute it ('./main.star') to regenerate the configs.
This file uses a Python-like syntax known as Starlark:
https://docs.bazel.build/versions/master/skylark/language.html
The documentation for lucicfg can be found here:
https://chromium.googlesource.com/infra/luci/luci-go/+/refs/heads/master/lucicfg/doc/README.md
"""
load("//lib/common.star", "common")
load("//lib/repos.star", "repos")
load("//cocoon_config.star", "cocoon_config")
load("//flutter_config.star", "flutter_config")
load("//recipes_config.star", "recipes_config")
load("//engine_config.star", "engine_config")
load("//infra_config.star", "infra_config")
load("//iostools_config.star", "iostools_config")
load("//packages_config.star", "packages_config")
# Avoid jumping back and forth with configs being updated by lower version
# lucicfg.
LUCICFG_VERSION = "1.32.1"
lucicfg.check_version(LUCICFG_VERSION)
# Use LUCI Scheduler BBv2 names and add Scheduler realms configs.
lucicfg.enable_experiment("crbug.com/1182002")
lucicfg.config(
config_dir = "generated/flutter",
tracked_files = ["**/*"],
fail_on_warnings = True,
lint_checks = ["default"],
)
luci.project(
name = "flutter",
config_dir = "luci",
buildbucket = "cr-buildbucket.appspot.com",
logdog = "luci-logdog.appspot.com",
milo = "luci-milo.appspot.com",
scheduler = "luci-scheduler.appspot.com",
swarming = "chromium-swarm.appspot.com",
notify = "luci-notify.appspot.com",
tricium = "tricium-prod.appspot.com",
acls = [
acl.entry(
roles = [
acl.BUILDBUCKET_READER,
acl.LOGDOG_READER,
acl.PROJECT_CONFIGS_READER,
acl.SCHEDULER_READER,
],
groups = "all",
),
acl.entry(
roles = [
acl.BUILDBUCKET_TRIGGERER,
acl.SCHEDULER_TRIGGERER,
],
groups = [
"project-flutter-prod-schedulers",
"project-flutter-staging-schedulers",
],
),
acl.entry(
roles = [
acl.BUILDBUCKET_OWNER,
acl.SCHEDULER_OWNER,
],
groups = "project-flutter-admins",
),
acl.entry(
acl.LOGDOG_WRITER,
groups = "luci-logdog-chromium-writers",
),
acl.entry(
roles = [acl.CQ_COMMITTER, acl.CQ_DRY_RUNNER],
groups = ["project-flutter-try-schedulers"],
),
],
bindings = [
luci.binding(
roles = "role/configs.validator",
groups = [
"project-flutter-try-task-accounts",
"project-flutter-prod-task-accounts",
"project-flutter-staging-task-accounts",
],
),
luci.binding(
roles = "role/swarming.poolOwner",
groups = "project-flutter-admins",
),
luci.binding(
roles = "role/swarming.poolViewer",
groups = "all", # public
),
],
)
# Allow admins to use LED and "Debug" button on every builder and bot.
luci.binding(
realm = "@root",
roles = "role/swarming.poolUser",
groups = "project-flutter-admins",
)
luci.binding(
realm = "@root",
roles = "role/swarming.taskTriggerer",
groups = "project-flutter-admins",
)
# These 4 pool security realms are effectively no-ops,
# as they inherit ACLs from the @root realm (defined via acls/bindings above).
# However, they are left here to ensure humans can search & find them,
# since they are referenced from LUCI's side of configs in `pools.cfg` file.
luci.realm(name = "pools/prod")
luci.realm(name = "pools/try")
luci.realm(name = "pools/staging")
luci.realm(name = "pools/tests")
def task_triggerers(*, pool_realm, builder_realms, users = None, groups = None, projects = "flutter"):
# Allow submitting tasks to the pool.
luci.binding(
realm = pool_realm,
roles = "role/swarming.poolUser",
users = users,
groups = groups,
projects = projects,
)
# Allow associating tasks with a particular builder realm.
luci.binding(
realm = builder_realms,
roles = "role/swarming.taskTriggerer",
users = users,
groups = groups,
)
# Allow to create subbuilds.
luci.binding(
realm = builder_realms,
roles = "role/buildbucket.creator",
users = users,
groups = groups,
)
# Permissions for prod builds to trigger subbuilds.
task_triggerers(
pool_realm = "pools/prod",
builder_realms = ["prod"],
users = ["flutter-prod-builder@chops-service-accounts.iam.gserviceaccount.com"],
groups = [
"project-flutter-led-prod-users",
],
projects = [
"flutter",
"dart",
],
)
# Permissions to run LED jobs with try builds.
task_triggerers(
pool_realm = "pools/try",
builder_realms = ["try"],
users = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"],
groups = [
"project-flutter-led-users",
"project-flutter-try-schedulers",
],
)
# Permissions to run LED jobs with staging builds.
task_triggerers(
pool_realm = "pools/staging",
builder_realms = ["staging"],
groups = [
"project-flutter-led-users",
"project-flutter-staging-schedulers",
],
projects = [
"flutter",
"dart",
],
)
luci.logdog(gs_bucket = "chromium-luci-logdog")
luci.milo(
logo =
"https://storage.googleapis.com/chrome-infra-public/logo/flutter-logo.svg",
favicon = "https://storage.googleapis.com/flutter_infra/favicon.ico",
)
luci.bucket(
name = "prod",
acls = [
acl.entry(
acl.BUILDBUCKET_TRIGGERER,
groups = "project-flutter-prod-schedulers",
),
acl.entry(
acl.SCHEDULER_TRIGGERER,
groups = "project-flutter-prod-schedulers",
),
],
)
luci.bucket(
name = "try",
acls = [
acl.entry(
acl.BUILDBUCKET_TRIGGERER,
groups =
"project-flutter-try-schedulers",
),
],
)
# These shawdow bucket is used to trigger a real Buildbucket build using led
# go/luci-how-to-led#new-trigger-a-real-buildbucket-build-using-led
# No need to add constraints as try builds do not persist anything.
luci.bucket(
name = "try.shadow",
shadows = "try",
constraints = luci.bucket_constraints(
pools = ["luci.flutter.try"],
service_accounts = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"],
),
bindings = [
# for led permissions.
luci.binding(
roles = "role/buildbucket.creator",
groups = "project-flutter-try-schedulers",
),
],
dynamic = True,
)
luci.bucket(
name = "prod.shadow",
shadows = "prod",
constraints = luci.bucket_constraints(
pools = ["luci.flutter.prod"],
service_accounts = ["flutter-prod-builder@chops-service-accounts.iam.gserviceaccount.com"],
),
bindings = [
# for led permissions.
luci.binding(
roles = "role/buildbucket.creator",
groups = "project-flutter-prod-schedulers",
),
],
dynamic = True,
)
luci.bucket(
name = "staging.shadow",
shadows = "staging",
constraints = luci.bucket_constraints(
pools = ["luci.flutter.staging"],
service_accounts = ["flutter-staging-builder@chops-service-accounts.iam.gserviceaccount.com"],
),
bindings = [
# for led permissions.
luci.binding(
roles = "role/buildbucket.creator",
groups = "project-flutter-staging-schedulers",
),
],
dynamic = True,
)
luci.bucket(
name = "staging",
acls = [
acl.entry(
acl.BUILDBUCKET_TRIGGERER,
groups = "project-flutter-staging-schedulers",
),
],
)
# CQ group configurations. Only FLUTTER_RECIPES is using
# LUCI CQ but we still need the CQ configurations for all
# the try configurations for led recipe tests.
common.cq_group(repos.FLUTTER_INFRA)
luci.builder.defaults.properties.set({
"$kitchen": {
"emulate_gce": True,
},
"$flutter/goma": {
"server": "rbe-prod1.endpoints.fuchsia-infra-goma-prod.cloud.goog",
},
"$flutter/rbe": {
"instance": "projects/flutter-rbe-prod/instances/default",
"platform": "container-image=docker://gcr.io/cloud-marketplace/google/debian11@sha256:69e2789c9f3d28c6a0f13b25062c240ee7772be1f5e6d41bb4680b63eae6b304",
},
"$recipe_engine/isolated": {
"server": "https://isolateserver.appspot.com",
},
"$recipe_engine/swarming": {
"server": "https://chromium-swarm.appspot.com",
},
"mastername": "client.flutter",
"goma_jobs": "200",
"rbe_jobs": "200",
"upload_packages": False,
"clobber": False,
})
############################ End Global Defaults ############################
cocoon_config.setup()
# While it doens't make alphabetical sense, temporarily it does
flutter_config.setup()
engine_config.setup()
infra_config.setup()
iostools_config.setup()
packages_config.setup()
recipes_config.setup()
######################### Console Definitions #################################