From 76b7c06f8997b0b151c980d83b92c94b16f1dfe9 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Wed, 29 May 2019 16:50:05 +0200
Subject: [PATCH] Allow coreos-continuous users to untag secure-boot builds

See https://pagure.io/releng/issue/8390
---
 roles/koji_hub/templates/hub.conf.j2 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index 0589800195..02c04da7b0 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -87,9 +87,11 @@ tag =
     has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
     has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
     # CoreOS continuous builds, https://pagure.io/releng/issue/8165
-    tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
+    operation tag && tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
+    operation untag && fromtag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
     # CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
-    tag coreos-pool coreos-release && has_perm coreos-continuous :: allow
+    operation tag && tag coreos-pool coreos-release && has_perm coreos-continuous :: allow
+    operation untag && fromtag coreos-pool coreos-release && has_perm coreos-continuous :: allow
     # deny tagging secureboot packages that are not related to coreos-continuous
     package kernel shim grub2 fedora-release fedora-repos pesign :: deny
 # Allow people to tag stuff into infra-candidate if they're infra