commit 952dfc4af635a67ee379d92f19716c3f29d0c86b Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Fri Aug 19 11:17:49 2022 +0200 koji update hub.conf roles/koji_hub/templates/hub.conf.j2 | 27 ++++++++++++++++++--------- 1 files changed, 18 insertions(+), 9 deletions(-) --- diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 1b00e2b..0c32831 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -68,8 +68,7 @@ MissingPolicyOk = False #Plugins = koji-disable-builds-plugin #Plugins = darkserver-plugin -Plugins = runroot_hub hub_containerbuild - +Plugins = runroot_hub hub_containerbuild sidetag_hub [policy] @@ -90,9 +89,11 @@ tag = all :: deny channel = - method createrepo newRepo distRepo buildSRPMFromSCM :: use createrepo + method createrepo :: use createrepo + method createdistrepo :: use createrepo method buildContainer :: use powerbuilder buildtag *-rpi :: use powerbuilder + method buildSRPMFromSCM :: use createrepo method buildSRPMFromSCM && buildtag *rpi :: use powerbuilder has req_channel && has_perm customchannel :: req is_child_task :: parent @@ -118,11 +119,19 @@ build_from_repo_id= has_perm admin :: allow all :: deny +# Policy for manipulating package lists for tags. +package_list = + # Removing packages is almost always a mistake, so deny it. + # Admins can still override this with --force, if necessary. + match action remove :: deny + # Admins can do pretty much everything. + has_perm admin :: allow + # Allow people to manage their side tags, https://pagure.io/releng/issue/9229 + is_sidetag_owner && match action add update remove unblock block :: allow + # Catch-all rule. + all :: deny + sidetag = - tag f36-*-build :: allow - tag f35-*-build :: allow - tag f34-*-build :: allow - tag f33-*-build :: allow - tag el8-*-build :: allow - tag el7-*-build :: allow + tag f??-*-build :: allow + tag el?-*-build :: allow all :: deny