Configure ACLs for Copybara

This configures ACLs according to (internal) go/copybara-gerrit-acl.

Also adds a label, Presubmit-G3-Verified, which will be stamped by
Copybara on CLs passing G3 presubmits.

Bug: 448460564
Change-Id: Ic2a5f050fc1b3835475cc0eebd34cdfeb9fa5029
Reviewed-on: https://boringssl-review.googlesource.com/c/All-Projects/+/94187
Reviewed-by: David Benjamin <davidben@google.com>

groups

diff --git a/groups b/groups
index f21d325..9f070bb 100644
--- a/groups
+++ b/groups
@@ -22,6 +22,8 @@
 mdb:boringssl-commiters                                       	mdb/boringssl-commiters
 mdb:boringssl-committers                                      	mdb/boringssl-committers
 mdb:chrome-git-admins                                         	mdb/chrome-git-admins
+mdb:copybara-git-readers                                      	mdb/copybara-git-readers
+mdb:copybara-git-writers                                      	mdb/copybara-git-writers
 mdb:gerrit-flows                                              	mdb/gerrit-flows
 mdb:gwsq                                                      	mdb/gwsq
 mdb:libjuggler-service                                        	mdb/libjuggler-service

project.config

diff --git a/project.config b/project.config
index 16c20f1..d8408af 100644
--- a/project.config
+++ b/project.config
@@ -13,6 +13,7 @@
 	read = group Registered Users
 	read = group luci-config-service-account
 	read = group mdb/boringssl-committers
+	read = group mdb/copybara-git-readers
 	read = group mdb/gerrit-flows
 	read = group mdb/gwsq
 	read = group mdb/libjuggler-service
@@ -42,6 +43,8 @@
 	labelAs-Commit-Queue = +0..+2 group boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com
 	label-Presubmit-BoringSSL-Verified = -1..+1 group Project Owners
 	label-Presubmit-BoringSSL-Verified = -1..+1 group boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com
+	label-Presubmit-G3-Verified = -1..+1 group Project Owners
+	label-Presubmit-G3-Verified = -1..+1 group mdb/copybara-git-writers
 	submit = group Project Owners
 	submit = group autoupdate-service-accounts
 	submit = group autoupdate-vigil-service-accounts
@@ -81,9 +84,13 @@
 [access "refs/tags/*"]
 	createTag = group Project Owners
 	createTag = group mdb/boringssl-committers
+	createTag = group mdb/copybara-git-writers
 	createSignedTag = group Project Owners
 	createSignedTag = group mdb/boringssl-committers
 	delete = group mdb/boringssl-committers
+	delete = group mdb/copybara-git-writers
+	forgeAuthor = group mdb/copybara-git-writers
+	forgeCommitter = group mdb/copybara-git-writers
 [label "Auto-Submit"]
 	function = NoBlock
 	defaultValue = 0
@@ -129,6 +136,15 @@
 	value = 0 No score
 	value = +1 Compiles, passes basic unit tests
 	copyCondition = changekind:NO_CHANGE OR changekind:NO_CODE_CHANGE
+[label "Presubmit-G3-Verified"]
+	function = NoBlock
+	abbreviation = G3-Verified
+	defaultValue = 0
+	allowPostSubmit = false
+	value = -1 Fails
+	value = 0 No score
+	value = +1 Passes
+	copyCondition = changekind:NO_CHANGE OR changekind:NO_CODE_CHANGE OR changekind:TRIVIAL_REBASE
 [access "refs/heads/chromium-stable"]
 	push = +force group mdb/boringssl-committers
 [access "refs/heads/master-with-bazel"]
@@ -158,11 +174,13 @@
 	administrateServer = group mdb/boringssl-committers
 	administrateServer = group mdb/chrome-git-admins
 	createAccount = group mdb/gwsq
+	gerrit-google-manageUsersGet = group mdb/copybara-git-readers
 	runAs = group mdb/gerrit-flows
 	viewAllAccounts = group autoupdate-onboarding-service-accounts
 	viewAllAccounts = group autoupdate-service-accounts
 	viewAllAccounts = group autoupdate-vigil-service-accounts
 	viewAllAccounts = group boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com
+	viewAllAccounts = group mdb/copybara-git-readers
 	viewAllAccounts = group mdb/gerrit-flows
 	viewAllAccounts = group mdb/gwsq
 	viewSecondaryEmails = group boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com