x/build: cannot start trybots on CLs from unprivileged users with (unapproved) dependencies

[prattmic]

In LUCI, if a CL is owned by an unprivileged user [1], and has a dependency (parent CL) which is also owned by an unprivileged user (usually the same user) and not yet submittable, then LUCI will not allow testing with Commit-Queue+1, regardless of the privileges of the user requesting testing.

For example, https://go.dev/cl/556335 depends on https://go.dev/cl/555996.

LUCI responds with something like:

"CV cannot start a Run because of the following dependencies. They must be submittable (please check the submit requirement) because their owners are not committers or dry-runners. Alternatively, you can ask the owner of this CL to trigger a dry-run.

• https://go-review.googlesource.com/c/555996: not satisfying the Review-Enforcement and No-Wait-Release submit requirement"

This is an intentional limitation in LUCI intended to guard against a reviewer failing to notice malicious code in the parent CL. Still, it is a frustrating roadblock in development. We may want to loosen this to something like allowing testing if the dependencies also had a valid Commit-Queue+1.

[1] i.e., not Approver or may-start-trybots

[prattmic]

Upstream LUCI issue: https://issues.chromium.org/issues/355416959