summaryrefslogtreecommitdiff
path: root/baserock_gerrit/All-Projects/project.config
diff options
context:
space:
mode:
Diffstat (limited to 'baserock_gerrit/All-Projects/project.config')
-rw-r--r--baserock_gerrit/All-Projects/project.config125
1 files changed, 125 insertions, 0 deletions
diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config
new file mode 100644
index 00000000..f3069904
--- /dev/null
+++ b/baserock_gerrit/All-Projects/project.config
@@ -0,0 +1,125 @@
+# Top-level access controls for projects on Baserock Gerrit.
+
+# These can be overridden by a project's own project.config file. They are also
+# overridden by the config of a project's parent repo, if it is set to something
+# other than the default parent project 'All-Projects'.
+
+# Useful references:
+#
+# https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html
+# https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst
+
+# To deploy changes to this file, you need to manually commit it and push it to
+# the 'refs/meta/config' ref of the All-Projects repo in Gerrit.
+
+[project]
+ description = Access inherited by all other projects.
+
+[receive]
+ requireContributorAgreement = false
+ requireSignedOffBy = false
+ requireChangeId = true
+
+[submit]
+ mergeContent = true
+ action = rebase if necessary
+
+[capability]
+ administrateServer = group Administrators
+ priority = batch group Non-Interactive Users
+ streamEvents = group Non-Interactive Users
+
+ createProject = group Mirroring Tools
+
+# Everyone can read everything.
+[access "refs/*"]
+ read = group Administrators
+ read = group Anonymous Users
+
+
+# Developers can propose changes. All 'Registered Users' are 'Developers'.
+[access "refs/for/refs/*"]
+ push = group Developers
+ pushMerge = group Developers
+
+
+[access "refs/heads/*"]
+ forgeAuthor = group Developers
+ rebase = group Developers
+ label-Code-Review = -2..+2 group Mergers
+ submit = group Mergers
+ label-Code-Review = -1..+1 group Reviewers
+# label-Verified = -1..+1 group Testers
+
+ create = group Administrators
+ forgeAuthor = group Administrators
+ forgeCommitter = group Administrators
+ push = group Administrators
+ create = group Project Owners
+ forgeAuthor = group Project Owners
+ forgeCommitter = group Project Owners
+ push = group Project Owners
+ create = group Mergers
+ forgeAuthor = group Mergers
+ push = +force group Mergers
+
+ create = group Mirroring Tools
+ forgeAuthor = group Mirroring Tools
+ forgeCommitter = group Mirroring Tools
+ push = +force group Mirroring Tools
+
+
+# Nobody should be able to force push to 'master'. In particular, if Lorry
+# can force-push master then it will do, in the course of mirroring from
+# git.baserock.org, and this may undo merges that Gerrit just did and really
+# confuse things.
+[access "refs/heads/master"]
+ exclusiveGroupPermissions = push
+ push = block +force group Mergers
+ push = block +force group Mirroring Tools
+
+
+[access "refs/tags/*"]
+ pushTag = group Release Team
+ pushSignedTag = group Release Team
+
+ pushTag = group Administrators
+ pushSignedTag = group Administrators
+ pushTag = group Project Owners
+ pushSignedTag = group Project Owners
+
+ create = group Mirroring Tools
+ forgeAuthor = group Mirroring Tools
+ forgeCommitter = group Mirroring Tools
+ push = +force group Mirroring Tools
+ pushTag = +force group Mirroring Tools
+ pushSignedTag = +force group Mirroring Tools
+
+
+# Changing project configuration is allowed for Administrators only. (In theory
+# anyone who owns a project can change its permissions, but right now all
+# projects should be owned by the Administrators group).
+[access "refs/meta/config"]
+ exclusiveGroupPermissions = read
+
+ read = group Administrators
+ push = group Administrators
+ read = group Project Owners
+ push = group Project Owners
+
+[label "Code-Review"]
+ function = MaxWithBlock
+ copyMinScore = true
+ value = -2 Do not merge
+ value = -1 This patch needs further work before it can be merged
+ value = 0 No score
+ value = +1 Looks good to me, but someone else must approve
+ value = +2 Looks good to me, approved
+
+# Disabled for now, because there is no automated test tool hooked up to our
+# Gerrit yet.
+#[label "Verified"]
+# function = MaxWithBlock
+# value = -1 Failed
+# value = 0 No score
+# value = +1 Verified
View Lorry Controller Status