commit 9f9e4fa892125898c7aa2c26e17a42f0c31ccf45
parent 8bda79c6786a8b8a57a37cecf4d5c56bcef8b912
Author: Dan Baker <dbaker@mozilla.com>
Date: Mon, 1 Dec 2025 20:53:19 -0700
Bug 2000941 - Vendor libwebrtc from 7afca54e66
Upstream commit: https://webrtc.googlesource.com/src/+/7afca54e66500aa15c523b36297d55344c170775
Cleanup realm ACLs to be compliant
Bug: b:441826109
Change-Id: I672eaf0629c18d7b3f8729ecc1ebe397afe4f889
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/409060
Reviewed-by: Jeremy Leconte <jleconte@google.com>
Commit-Queue: Christoffer Dewerin <jansson@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#45656}
Diffstat:
3 files changed, 66 insertions(+), 48 deletions(-)
diff --git a/third_party/libwebrtc/README.mozilla.last-vendor b/third_party/libwebrtc/README.mozilla.last-vendor
@@ -1,4 +1,4 @@
# ./mach python dom/media/webrtc/third_party_build/vendor-libwebrtc.py --from-local /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc --commit mozpatches libwebrtc
-libwebrtc updated from /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-12-02T03:50:46.960830+00:00.
+libwebrtc updated from /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-12-02T03:53:06.243515+00:00.
# base of lastest vendoring
-10416a9cb0
+7afca54e66
diff --git a/third_party/libwebrtc/infra/config/config.star b/third_party/libwebrtc/infra/config/config.star
@@ -176,13 +176,17 @@ luci.realm(name = "pools/ci-tests", bindings = [
groups = "project-webrtc-ci-task-accounts",
),
])
-luci.realm(name = "ci", bindings = [
- # Allow CI builders to create invocations in their own builds.
- luci.binding(
- roles = "role/resultdb.invocationCreator",
- groups = "project-webrtc-ci-task-accounts",
- ),
-])
+luci.realm(
+ name = "ci",
+ extends = "debug-bot-acls",
+ bindings = [
+ # Allow CI builders to create invocations in their own builds.
+ luci.binding(
+ roles = "role/resultdb.invocationCreator",
+ groups = "project-webrtc-ci-task-accounts",
+ ),
+ ],
+)
luci.realm(name = "pools/try", bindings = [
# Allow to use LED & Swarming "Debug" feature to a larger group but only on try bots / builders.
@@ -203,21 +207,25 @@ luci.realm(name = "pools/try-tests", bindings = [
groups = "project-webrtc-try-task-accounts",
),
])
-luci.realm(name = "try", bindings = [
- luci.binding(
- roles = "role/buildbucket.creator",
- groups = "project-webrtc-led-users",
- ),
- luci.binding(
- roles = "role/swarming.taskTriggerer",
- groups = "project-webrtc-led-users",
- ),
- # Allow try builders to create invocations in their own builds.
- luci.binding(
- roles = "role/resultdb.invocationCreator",
- groups = "project-webrtc-try-task-accounts",
- ),
-])
+luci.realm(
+ name = "try",
+ extends = "debug-bot-acls",
+ bindings = [
+ luci.binding(
+ roles = "role/buildbucket.creator",
+ groups = "project-webrtc-led-users",
+ ),
+ luci.binding(
+ roles = "role/swarming.taskTriggerer",
+ groups = "project-webrtc-led-users",
+ ),
+ # Allow try builders to create invocations in their own builds.
+ luci.binding(
+ roles = "role/resultdb.invocationCreator",
+ groups = "project-webrtc-try-task-accounts",
+ ),
+ ],
+)
luci.realm(name = "pools/perf", bindings = [
# Allow to use LED & Swarming "Debug" feature to a larger group but only on perf bots / builders.
@@ -226,19 +234,23 @@ luci.realm(name = "pools/perf", bindings = [
groups = "project-webrtc-led-users",
),
])
-luci.realm(name = "perf", bindings = [
- luci.binding(
- roles = "role/buildbucket.creator",
- groups = "project-webrtc-led-users",
- ),
- luci.binding(
- roles = "role/swarming.taskTriggerer",
- groups = "project-webrtc-led-users",
- ),
-])
+luci.realm(
+ name = "perf",
+ extends = "debug-bot-acls",
+ bindings = [
+ luci.binding(
+ roles = "role/buildbucket.creator",
+ groups = "project-webrtc-led-users",
+ ),
+ luci.binding(
+ roles = "role/swarming.taskTriggerer",
+ groups = "project-webrtc-led-users",
+ ),
+ ],
+)
-luci.realm(name = "@root", bindings = [
- # Allow admins to use LED & Swarming "Debug" feature on all WebRTC bots.
+# Allow admins to use LED & Swarming "Debug" feature on WebRTC bots where this permission is extended.
+luci.realm(name = "debug-bot-acls", bindings = [
luci.binding(
roles = "role/swarming.poolUser",
groups = "project-webrtc-admins",
diff --git a/third_party/libwebrtc/infra/config/generated/luci/realms.cfg b/third_party/libwebrtc/infra/config/generated/luci/realms.cfg
@@ -19,10 +19,6 @@ realms {
principals: "group:all"
}
bindings {
- role: "role/buildbucket.creator"
- principals: "group:project-webrtc-admins"
- }
- bindings {
role: "role/buildbucket.reader"
principals: "group:all"
}
@@ -55,10 +51,6 @@ realms {
principals: "group:project-webrtc-admins"
}
bindings {
- role: "role/swarming.poolUser"
- principals: "group:project-webrtc-admins"
- }
- bindings {
role: "role/swarming.poolViewer"
principals: "group:all"
}
@@ -66,13 +58,10 @@ realms {
role: "role/swarming.taskServiceAccount"
principals: "user:chromium-tester@chops-service-accounts.iam.gserviceaccount.com"
}
- bindings {
- role: "role/swarming.taskTriggerer"
- principals: "group:project-webrtc-admins"
- }
}
realms {
name: "ci"
+ extends: "debug-bot-acls"
bindings {
role: "role/buildbucket.builderServiceAccount"
principals: "user:webrtc-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
@@ -95,7 +84,23 @@ realms {
}
}
realms {
+ name: "debug-bot-acls"
+ bindings {
+ role: "role/buildbucket.creator"
+ principals: "group:project-webrtc-admins"
+ }
+ bindings {
+ role: "role/swarming.poolUser"
+ principals: "group:project-webrtc-admins"
+ }
+ bindings {
+ role: "role/swarming.taskTriggerer"
+ principals: "group:project-webrtc-admins"
+ }
+}
+realms {
name: "perf"
+ extends: "debug-bot-acls"
bindings {
role: "role/buildbucket.builderServiceAccount"
principals: "user:webrtc-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
@@ -178,6 +183,7 @@ realms {
}
realms {
name: "try"
+ extends: "debug-bot-acls"
bindings {
role: "role/buildbucket.builderServiceAccount"
principals: "user:webrtc-try-builder@chops-service-accounts.iam.gserviceaccount.com"
