Many permissions changes
Mostly, use "Administrators" group instead of mdb/pigweed-gob-admin-acl.
Also grant "Googlers" marginally elevated permissions, and remove any
permissions to push directly to "refs/heads/*".
Change-Id: I1c74dd5b42274e0fc516fd736cda3af224860fdb
Reviewed-on: https://bluetooth-review.git.corp.google.com/c/All-Projects/+/1000
Reviewed-by: Oliver Newman <olivernewman@google.com>
diff --git a/groups b/groups
index 6675d65..0e0e7a2 100644
--- a/groups
+++ b/groups
@@ -1,6 +1,9 @@
-# UUID Group Name
+# UUID Group Name
#
-global:Anonymous-Users Anonymous Users
-global:Project-Owners Project Owners
-global:Registered-Users Registered Users
-mdb:pigweed-gob-admin-acl mdb/pigweed-gob-admin-acl
+66326fee1502be50f366279038a41476658a69c1 Administrators
+f7db30a3f0ff326e3c86b9c76703f7a29d69e51c Googlers
+global:Anonymous-Users Anonymous Users
+global:Project-Owners Project Owners
+global:Registered-Users Registered Users
+mdb:pigweed-gob-admin mdb/pigweed-gob-admin
+mdb:pigweed-gob-admin-acl mdb/pigweed-gob-admin-acl
diff --git a/project.config b/project.config
index d3ac935..d0c7dbf 100644
--- a/project.config
+++ b/project.config
@@ -9,50 +9,51 @@
mergeContent = true
action = rebase always
[access "refs/*"]
- read = group mdb/pigweed-gob-admin-acl
+ read = group Administrators
+ read = group Googlers
[access "refs/for/*"]
addPatchSet = group Registered Users
[access "refs/for/refs/*"]
push = group Registered Users
pushMerge = group Registered Users
[access "refs/heads/*"]
+ create = group Administrators
create = group Project Owners
- create = group mdb/pigweed-gob-admin-acl
- editTopicName = +force group Project Owners
- editTopicName = +force group mdb/pigweed-gob-admin-acl
forgeAuthor = group Registered Users
+ forgeCommitter = group Administrators
forgeCommitter = group Project Owners
- forgeCommitter = group mdb/pigweed-gob-admin-acl
+ label-Code-Review = -2..+2 group Administrators
+ label-Code-Review = -2..+2 group Googlers
label-Code-Review = -2..+2 group Project Owners
- label-Code-Review = -2..+2 group mdb/pigweed-gob-admin-acl
label-Code-Review = -1..+1 group Registered Users
- push = group Project Owners
- push = group mdb/pigweed-gob-admin-acl
read = group Anonymous Users
revert = group Registered Users
+ submit = group Administrators
+ submit = group Googlers
submit = group Project Owners
- submit = group mdb/pigweed-gob-admin-acl
[access "refs/meta/config"]
exclusiveGroupPermissions = read
+ create = group Administrators
create = group Project Owners
- create = group mdb/pigweed-gob-admin-acl
+ label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
- label-Code-Review = -2..+2 group mdb/pigweed-gob-admin-acl
+ label-Code-Review = -2..+2 group mdb/pigweed-gob-admin
push = group Project Owners
push = group mdb/pigweed-gob-admin-acl
+ read = group Administrators
+ read = group Googlers
read = group Project Owners
- read = group mdb/pigweed-gob-admin-acl
+ submit = group Administrators
submit = group Project Owners
- submit = group mdb/pigweed-gob-admin-acl
[access "refs/meta/version"]
read = group Anonymous Users
[access "refs/tags/*"]
+ create = group Administrators
create = group Project Owners
- create = group mdb/pigweed-gob-admin-acl
+ createSignedTag = group Administrators
createSignedTag = group Project Owners
- createSignedTag = group mdb/pigweed-gob-admin-acl
+ createTag = group Administrators
createTag = group Project Owners
- createTag = group mdb/pigweed-gob-admin-acl
[label "Code-Review"]
function = MaxWithBlock
defaultValue = 0
@@ -64,4 +65,4 @@
value = +1 Looks good to me, but someone else must approve
value = +2 Looks good to me, approved
[capability]
- administrateServer = group mdb/pigweed-gob-admin-acl
+ administrateServer = group Administrators
