Allow coreos-continuous users to untag secure-boot builds

See https://pagure.io/releng/issue/8390
2019-05-29 16:50:05 +02:00 · 2019-05-29 16:50:05 +02:00 · 76b7c06f89
commit 76b7c06f89
parent 77dcd8034f
1 changed files with 4 additions and 2 deletions
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@ -87,9 +87,11 @@ tag =
    has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    # CoreOS continuous builds, https://pagure.io/releng/issue/8165
-    tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
+    operation tag && tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
+    operation untag && fromtag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
    # CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
-    tag coreos-pool coreos-release && has_perm coreos-continuous :: allow
+    operation tag && tag coreos-pool coreos-release && has_perm coreos-continuous :: allow
+    operation untag && fromtag coreos-pool coreos-release && has_perm coreos-continuous :: allow
    # deny tagging secureboot packages that are not related to coreos-continuous
    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
 # Allow people to tag stuff into infra-candidate if they're infra