Many permissions changes Mostly, use "Administrators" group instead of mdb/pigweed-gob-admin-acl. Also grant "Googlers" marginally elevated permissions, and remove any permissions to push directly to "refs/heads/*". Change-Id: I1c74dd5b42274e0fc516fd736cda3af224860fdb Reviewed-on: https://bluetooth-review.git.corp.google.com/c/All-Projects/+/1000 Reviewed-by: Oliver Newman <olivernewman@google.com>
diff --git a/groups b/groups index 6675d65..0e0e7a2 100644 --- a/groups +++ b/groups
@@ -1,6 +1,9 @@ -# UUID Group Name +# UUID Group Name # -global:Anonymous-Users Anonymous Users -global:Project-Owners Project Owners -global:Registered-Users Registered Users -mdb:pigweed-gob-admin-acl mdb/pigweed-gob-admin-acl +66326fee1502be50f366279038a41476658a69c1 Administrators +f7db30a3f0ff326e3c86b9c76703f7a29d69e51c Googlers +global:Anonymous-Users Anonymous Users +global:Project-Owners Project Owners +global:Registered-Users Registered Users +mdb:pigweed-gob-admin mdb/pigweed-gob-admin +mdb:pigweed-gob-admin-acl mdb/pigweed-gob-admin-acl
diff --git a/project.config b/project.config index d3ac935..d0c7dbf 100644 --- a/project.config +++ b/project.config
@@ -9,50 +9,51 @@ mergeContent = true action = rebase always [access "refs/*"] - read = group mdb/pigweed-gob-admin-acl + read = group Administrators + read = group Googlers [access "refs/for/*"] addPatchSet = group Registered Users [access "refs/for/refs/*"] push = group Registered Users pushMerge = group Registered Users [access "refs/heads/*"] + create = group Administrators create = group Project Owners - create = group mdb/pigweed-gob-admin-acl - editTopicName = +force group Project Owners - editTopicName = +force group mdb/pigweed-gob-admin-acl forgeAuthor = group Registered Users + forgeCommitter = group Administrators forgeCommitter = group Project Owners - forgeCommitter = group mdb/pigweed-gob-admin-acl + label-Code-Review = -2..+2 group Administrators + label-Code-Review = -2..+2 group Googlers label-Code-Review = -2..+2 group Project Owners - label-Code-Review = -2..+2 group mdb/pigweed-gob-admin-acl label-Code-Review = -1..+1 group Registered Users - push = group Project Owners - push = group mdb/pigweed-gob-admin-acl read = group Anonymous Users revert = group Registered Users + submit = group Administrators + submit = group Googlers submit = group Project Owners - submit = group mdb/pigweed-gob-admin-acl [access "refs/meta/config"] exclusiveGroupPermissions = read + create = group Administrators create = group Project Owners - create = group mdb/pigweed-gob-admin-acl + label-Code-Review = -2..+2 group Administrators label-Code-Review = -2..+2 group Project Owners - label-Code-Review = -2..+2 group mdb/pigweed-gob-admin-acl + label-Code-Review = -2..+2 group mdb/pigweed-gob-admin push = group Project Owners push = group mdb/pigweed-gob-admin-acl + read = group Administrators + read = group Googlers read = group Project Owners - read = group mdb/pigweed-gob-admin-acl + submit = group Administrators submit = group Project Owners - submit = group mdb/pigweed-gob-admin-acl [access "refs/meta/version"] read = group Anonymous Users [access "refs/tags/*"] + create = group Administrators create = group Project Owners - create = group mdb/pigweed-gob-admin-acl + createSignedTag = group Administrators createSignedTag = group Project Owners - createSignedTag = group mdb/pigweed-gob-admin-acl + createTag = group Administrators createTag = group Project Owners - createTag = group mdb/pigweed-gob-admin-acl [label "Code-Review"] function = MaxWithBlock defaultValue = 0 @@ -64,4 +65,4 @@ value = +1 Looks good to me, but someone else must approve value = +2 Looks good to me, approved [capability] - administrateServer = group mdb/pigweed-gob-admin-acl + administrateServer = group Administrators