Presently, the OpenStack release managers have special access
granted over every project in OpenDev's Gerrit due to historical
entries in the All-Projects ACL. These permissions allow creation of
branches, pushing tags and abandoning open changes, and they would
like to add deletion of branches to the mix. It would be ideal, both
for safety and correctness, to only have those permissions apply to
projects in the "openstack/" namespace, and this could be
accomplished with Gerrit's ACL inheritance feature.
Create a new empty repository which serves only as a reference to a
Gerrit ACL, for future use as an inherited base ACL in official
OpenStack projects. It is intentional that this repository lacks
typical change approval rights, an entry in the Zuul config, and so
on, as it should never receive proposed changes nor need to test and
merge them. When copying in the Release Managers group permissions,
replace pushTag with the stricter pushSignedTag since we expect all
tags to be signed (Zuul would ignore unsigned tag events anyway).
Change-Id: Ifb7ef3870b2c2d876a3dbe21a4ad7a930f09ee5c
b89296fee2