| #!/usr/bin/env lucicfg |
| # Copyright 2019 The Flutter Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| """ |
| LUCI project configuration for the production instance of LUCI. |
| |
| After modifying this file execute it ('./main.star') to regenerate the configs. |
| |
| This file uses a Python-like syntax known as Starlark: |
| https://docs.bazel.build/versions/master/skylark/language.html |
| |
| The documentation for lucicfg can be found here: |
| https://chromium.googlesource.com/infra/luci/luci-go/+/refs/heads/master/lucicfg/doc/README.md |
| """ |
| |
| load("//lib/common.star", "common") |
| load("//lib/repos.star", "repos") |
| load("//cocoon_config.star", "cocoon_config") |
| load("//flutter_config.star", "flutter_config") |
| load("//recipes_config.star", "recipes_config") |
| load("//engine_config.star", "engine_config") |
| load("//infra_config.star", "infra_config") |
| load("//iostools_config.star", "iostools_config") |
| load("//packages_config.star", "packages_config") |
| |
| # Avoid jumping back and forth with configs being updated by lower version |
| # lucicfg. |
| LUCICFG_VERSION = "1.32.1" |
| lucicfg.check_version(LUCICFG_VERSION) |
| |
| # Use LUCI Scheduler BBv2 names and add Scheduler realms configs. |
| lucicfg.enable_experiment("crbug.com/1182002") |
| |
| lucicfg.config( |
| config_dir = "generated/flutter", |
| tracked_files = ["**/*"], |
| fail_on_warnings = True, |
| lint_checks = ["default"], |
| ) |
| |
| luci.project( |
| name = "flutter", |
| config_dir = "luci", |
| buildbucket = "cr-buildbucket.appspot.com", |
| logdog = "luci-logdog.appspot.com", |
| milo = "luci-milo.appspot.com", |
| scheduler = "luci-scheduler.appspot.com", |
| swarming = "chromium-swarm.appspot.com", |
| notify = "luci-notify.appspot.com", |
| tricium = "tricium-prod.appspot.com", |
| acls = [ |
| acl.entry( |
| roles = [ |
| acl.BUILDBUCKET_READER, |
| acl.LOGDOG_READER, |
| acl.PROJECT_CONFIGS_READER, |
| acl.SCHEDULER_READER, |
| ], |
| groups = "all", |
| ), |
| acl.entry( |
| roles = [ |
| acl.BUILDBUCKET_TRIGGERER, |
| acl.SCHEDULER_TRIGGERER, |
| ], |
| groups = [ |
| "project-flutter-prod-schedulers", |
| "project-flutter-staging-schedulers", |
| ], |
| ), |
| acl.entry( |
| roles = [ |
| acl.BUILDBUCKET_OWNER, |
| acl.SCHEDULER_OWNER, |
| ], |
| groups = "project-flutter-admins", |
| ), |
| acl.entry( |
| acl.LOGDOG_WRITER, |
| groups = "luci-logdog-chromium-writers", |
| ), |
| acl.entry( |
| roles = [acl.CQ_COMMITTER, acl.CQ_DRY_RUNNER], |
| groups = ["project-flutter-try-schedulers"], |
| ), |
| ], |
| bindings = [ |
| luci.binding( |
| roles = "role/configs.validator", |
| groups = [ |
| "project-flutter-try-task-accounts", |
| "project-flutter-prod-task-accounts", |
| "project-flutter-staging-task-accounts", |
| ], |
| ), |
| luci.binding( |
| roles = "role/swarming.poolOwner", |
| groups = "project-flutter-admins", |
| ), |
| luci.binding( |
| roles = "role/swarming.poolViewer", |
| groups = "all", # public |
| ), |
| ], |
| ) |
| |
| # Allow admins to use LED and "Debug" button on every builder and bot. |
| luci.binding( |
| realm = "@root", |
| roles = "role/swarming.poolUser", |
| groups = "project-flutter-admins", |
| ) |
| luci.binding( |
| realm = "@root", |
| roles = "role/swarming.taskTriggerer", |
| groups = "project-flutter-admins", |
| ) |
| |
| # These 4 pool security realms are effectively no-ops, |
| # as they inherit ACLs from the @root realm (defined via acls/bindings above). |
| # However, they are left here to ensure humans can search & find them, |
| # since they are referenced from LUCI's side of configs in `pools.cfg` file. |
| luci.realm(name = "pools/prod") |
| luci.realm(name = "pools/try") |
| luci.realm(name = "pools/staging") |
| luci.realm(name = "pools/tests") |
| |
| def task_triggerers(*, pool_realm, builder_realms, users = None, groups = None, projects = "flutter"): |
| # Allow submitting tasks to the pool. |
| luci.binding( |
| realm = pool_realm, |
| roles = "role/swarming.poolUser", |
| users = users, |
| groups = groups, |
| projects = projects, |
| ) |
| |
| # Allow associating tasks with a particular builder realm. |
| luci.binding( |
| realm = builder_realms, |
| roles = "role/swarming.taskTriggerer", |
| users = users, |
| groups = groups, |
| ) |
| |
| # Allow to create subbuilds. |
| luci.binding( |
| realm = builder_realms, |
| roles = "role/buildbucket.creator", |
| users = users, |
| groups = groups, |
| ) |
| |
| # Permissions for prod builds to trigger subbuilds. |
| task_triggerers( |
| pool_realm = "pools/prod", |
| builder_realms = ["prod"], |
| users = ["flutter-prod-builder@chops-service-accounts.iam.gserviceaccount.com"], |
| groups = [ |
| "project-flutter-led-prod-users", |
| ], |
| projects = [ |
| "flutter", |
| "dart", |
| ], |
| ) |
| |
| # Permissions to run LED jobs with try builds. |
| task_triggerers( |
| pool_realm = "pools/try", |
| builder_realms = ["try"], |
| users = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"], |
| groups = [ |
| "project-flutter-led-users", |
| "project-flutter-try-schedulers", |
| ], |
| ) |
| |
| # Permissions to run LED jobs with staging builds. |
| task_triggerers( |
| pool_realm = "pools/staging", |
| builder_realms = ["staging"], |
| groups = [ |
| "project-flutter-led-users", |
| "project-flutter-staging-schedulers", |
| ], |
| projects = [ |
| "flutter", |
| "dart", |
| ], |
| ) |
| |
| luci.logdog(gs_bucket = "chromium-luci-logdog") |
| |
| luci.milo( |
| logo = |
| "https://storage.googleapis.com/chrome-infra-public/logo/flutter-logo.svg", |
| favicon = "https://storage.googleapis.com/flutter_infra/favicon.ico", |
| ) |
| |
| luci.bucket( |
| name = "prod", |
| acls = [ |
| acl.entry( |
| acl.BUILDBUCKET_TRIGGERER, |
| groups = "project-flutter-prod-schedulers", |
| ), |
| acl.entry( |
| acl.SCHEDULER_TRIGGERER, |
| groups = "project-flutter-prod-schedulers", |
| ), |
| ], |
| ) |
| |
| luci.bucket( |
| name = "try", |
| acls = [ |
| acl.entry( |
| acl.BUILDBUCKET_TRIGGERER, |
| groups = |
| "project-flutter-try-schedulers", |
| ), |
| ], |
| ) |
| |
| # These shawdow bucket is used to trigger a real Buildbucket build using led |
| # go/luci-how-to-led#new-trigger-a-real-buildbucket-build-using-led |
| |
| # No need to add constraints as try builds do not persist anything. |
| luci.bucket( |
| name = "try.shadow", |
| shadows = "try", |
| constraints = luci.bucket_constraints( |
| pools = ["luci.flutter.try"], |
| service_accounts = ["flutter-try-builder@chops-service-accounts.iam.gserviceaccount.com"], |
| ), |
| bindings = [ |
| # for led permissions. |
| luci.binding( |
| roles = "role/buildbucket.creator", |
| groups = "project-flutter-try-schedulers", |
| ), |
| ], |
| dynamic = True, |
| ) |
| |
| luci.bucket( |
| name = "prod.shadow", |
| shadows = "prod", |
| constraints = luci.bucket_constraints( |
| pools = ["luci.flutter.prod"], |
| service_accounts = ["flutter-prod-builder@chops-service-accounts.iam.gserviceaccount.com"], |
| ), |
| bindings = [ |
| # for led permissions. |
| luci.binding( |
| roles = "role/buildbucket.creator", |
| groups = "project-flutter-prod-schedulers", |
| ), |
| ], |
| dynamic = True, |
| ) |
| |
| luci.bucket( |
| name = "staging.shadow", |
| shadows = "staging", |
| constraints = luci.bucket_constraints( |
| pools = ["luci.flutter.staging"], |
| service_accounts = ["flutter-staging-builder@chops-service-accounts.iam.gserviceaccount.com"], |
| ), |
| bindings = [ |
| # for led permissions. |
| luci.binding( |
| roles = "role/buildbucket.creator", |
| groups = "project-flutter-staging-schedulers", |
| ), |
| ], |
| dynamic = True, |
| ) |
| |
| luci.bucket( |
| name = "staging", |
| acls = [ |
| acl.entry( |
| acl.BUILDBUCKET_TRIGGERER, |
| groups = "project-flutter-staging-schedulers", |
| ), |
| ], |
| ) |
| |
| # CQ group configurations. Only FLUTTER_RECIPES is using |
| # LUCI CQ but we still need the CQ configurations for all |
| # the try configurations for led recipe tests. |
| common.cq_group(repos.FLUTTER_INFRA) |
| |
| luci.builder.defaults.properties.set({ |
| "$kitchen": { |
| "emulate_gce": True, |
| }, |
| "$flutter/goma": { |
| "server": "rbe-prod1.endpoints.fuchsia-infra-goma-prod.cloud.goog", |
| }, |
| "$flutter/rbe": { |
| "instance": "projects/flutter-rbe-prod/instances/default", |
| "platform": "container-image=docker://gcr.io/cloud-marketplace/google/debian11@sha256:69e2789c9f3d28c6a0f13b25062c240ee7772be1f5e6d41bb4680b63eae6b304", |
| }, |
| "$recipe_engine/isolated": { |
| "server": "https://isolateserver.appspot.com", |
| }, |
| "$recipe_engine/swarming": { |
| "server": "https://chromium-swarm.appspot.com", |
| }, |
| "mastername": "client.flutter", |
| "goma_jobs": "200", |
| "rbe_jobs": "200", |
| "upload_packages": False, |
| "clobber": False, |
| }) |
| |
| ############################ End Global Defaults ############################ |
| cocoon_config.setup() |
| |
| # While it doens't make alphabetical sense, temporarily it does |
| flutter_config.setup() |
| |
| engine_config.setup() |
| |
| infra_config.setup() |
| |
| iostools_config.setup() |
| |
| packages_config.setup() |
| |
| recipes_config.setup() |
| |
| ######################### Console Definitions ################################# |