diff options
Diffstat (limited to 'baserock_gerrit/All-Projects/project.config')
-rw-r--r-- | baserock_gerrit/All-Projects/project.config | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config new file mode 100644 index 00000000..f3069904 --- /dev/null +++ b/baserock_gerrit/All-Projects/project.config @@ -0,0 +1,125 @@ +# Top-level access controls for projects on Baserock Gerrit. + +# These can be overridden by a project's own project.config file. They are also +# overridden by the config of a project's parent repo, if it is set to something +# other than the default parent project 'All-Projects'. + +# Useful references: +# +# https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html +# https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst + +# To deploy changes to this file, you need to manually commit it and push it to +# the 'refs/meta/config' ref of the All-Projects repo in Gerrit. + +[project] + description = Access inherited by all other projects. + +[receive] + requireContributorAgreement = false + requireSignedOffBy = false + requireChangeId = true + +[submit] + mergeContent = true + action = rebase if necessary + +[capability] + administrateServer = group Administrators + priority = batch group Non-Interactive Users + streamEvents = group Non-Interactive Users + + createProject = group Mirroring Tools + +# Everyone can read everything. +[access "refs/*"] + read = group Administrators + read = group Anonymous Users + + +# Developers can propose changes. All 'Registered Users' are 'Developers'. +[access "refs/for/refs/*"] + push = group Developers + pushMerge = group Developers + + +[access "refs/heads/*"] + forgeAuthor = group Developers + rebase = group Developers + label-Code-Review = -2..+2 group Mergers + submit = group Mergers + label-Code-Review = -1..+1 group Reviewers +# label-Verified = -1..+1 group Testers + + create = group Administrators + forgeAuthor = group Administrators + forgeCommitter = group Administrators + push = group Administrators + create = group Project Owners + forgeAuthor = group Project Owners + forgeCommitter = group Project Owners + push = group Project Owners + create = group Mergers + forgeAuthor = group Mergers + push = +force group Mergers + + create = group Mirroring Tools + forgeAuthor = group Mirroring Tools + forgeCommitter = group Mirroring Tools + push = +force group Mirroring Tools + + +# Nobody should be able to force push to 'master'. In particular, if Lorry +# can force-push master then it will do, in the course of mirroring from +# git.baserock.org, and this may undo merges that Gerrit just did and really +# confuse things. +[access "refs/heads/master"] + exclusiveGroupPermissions = push + push = block +force group Mergers + push = block +force group Mirroring Tools + + +[access "refs/tags/*"] + pushTag = group Release Team + pushSignedTag = group Release Team + + pushTag = group Administrators + pushSignedTag = group Administrators + pushTag = group Project Owners + pushSignedTag = group Project Owners + + create = group Mirroring Tools + forgeAuthor = group Mirroring Tools + forgeCommitter = group Mirroring Tools + push = +force group Mirroring Tools + pushTag = +force group Mirroring Tools + pushSignedTag = +force group Mirroring Tools + + +# Changing project configuration is allowed for Administrators only. (In theory +# anyone who owns a project can change its permissions, but right now all +# projects should be owned by the Administrators group). +[access "refs/meta/config"] + exclusiveGroupPermissions = read + + read = group Administrators + push = group Administrators + read = group Project Owners + push = group Project Owners + +[label "Code-Review"] + function = MaxWithBlock + copyMinScore = true + value = -2 Do not merge + value = -1 This patch needs further work before it can be merged + value = 0 No score + value = +1 Looks good to me, but someone else must approve + value = +2 Looks good to me, approved + +# Disabled for now, because there is no automated test tool hooked up to our +# Gerrit yet. +#[label "Verified"] +# function = MaxWithBlock +# value = -1 Failed +# value = 0 No score +# value = +1 Verified |