x/build: give a few people access to delete TryBot-Result label, but not change it

[bradfitz]

Currently we have a Gerrit group called "trybot-result-changers":

https://go-review.googlesource.com/admin/groups/1025

The intent of that group is that some people can delete TryBot-Result on failed flakes and cause the trybots to re-run.

But the way we implemented that group is this ACL:

(in All-Projects project.config)

[access "refs/heads/*"]
...
        label-Run-TryBot = +0..+1 group approvers
        label-Run-TryBot = +0..+1 group may-start-trybots
        label-TryBot-Result = -1..+1 group trybot-result-changers

I think we want to use this instead:

https://gerrit-review.googlesource.com/Documentation/access-control.html#category_review_labels

For every configured label My-Name in the project, there is a corresponding permission label-My-Name with a range corresponding to the defined values. There is also a corresponding labelAs-My-Name permission that enables editing another user’s label.

We want some people to be able to delete the gopherbot's TryBot-Result label, but not set it themselves.

Is that possible?

Leaving for @andybons

[bradfitz]

Btw, the harm in the current system is that the UI is cluttered now and it's too easy to accidentally "vote" on TryBot-Result instead of Run-TryBot:

[bradfitz]

Andy, did you see this earlier?

[andybons]

I did not. Will take a look. Need to go through all my assigned bugs. 😬