Create a group gerrit-flows with runAs+viewAllAccounts permission

Following go/gob/users/gerrit-flows#onboarding step 5/6, except that
says to grant the *user* permission but the Gerrit UI doesn't allow me
to do that, so I created a group and added the user instead.
Group:
https://dawn-review.git.corp.google.com/admin/groups/e6a605e72c494a2fbf0c51f14cd0f24fb7ae1e50,members
User: https://dawn-review.git.corp.google.com/dashboard/4718297

Bug: 493938721
Change-Id: I7da16e9bc47043d78f2f6ffcaef80df544d4205b
diff --git a/groups b/groups
index 0a7cf3c..85c4ea4 100644
--- a/groups
+++ b/groups
@@ -1,17 +1,18 @@
 # UUID                                                        	Group Name
 #
-090e2829b3a2ff324d5c288f4c7bb82d3389fa8e			owners-override
-5bfa1e6d0fc0cd988605571affca89e60a7aa1a1			bot-commit-bots
-b8e19f14ecb618ea6c5d3dca892a7d80105ed6af			gerrit-submit-requirements-admins
-cria:project-dawn-committers            			cria/project-dawn-committers
-d88594eff8d639cb82d00cdda77f3ec69a8463a0			dawn-scoped@luci-project-accounts.iam.gserviceaccount.com
-e8a7a6ec5578b7b3fb664b063b34b1278f7409e2			tint-scoped@luci-project-accounts.iam.gserviceaccount.com
-global:Anonymous-Users                  			Anonymous Users
-global:Project-Owners                   			Project Owners
-global:Registered-Users                 			Registered Users
+090e2829b3a2ff324d5c288f4c7bb82d3389fa8e                      	owners-override
+5bfa1e6d0fc0cd988605571affca89e60a7aa1a1                      	bot-commit-bots
+b8e19f14ecb618ea6c5d3dca892a7d80105ed6af                      	gerrit-submit-requirements-admins
+cria:project-dawn-committers                                  	cria/project-dawn-committers
+d88594eff8d639cb82d00cdda77f3ec69a8463a0                      	dawn-scoped@luci-project-accounts.iam.gserviceaccount.com
+e6a605e72c494a2fbf0c51f14cd0f24fb7ae1e50                      	gerrit-flows
+e8a7a6ec5578b7b3fb664b063b34b1278f7409e2                      	tint-scoped@luci-project-accounts.iam.gserviceaccount.com
+global:Anonymous-Users                                        	Anonymous Users
+global:Project-Owners                                         	Project Owners
+global:Registered-Users                                       	Registered Users
 google:AI2Pq9r_ksT_hfUOny8swsG8krQwPL5eOM0hGHf4QWGOPdy9igqsdhs	google/google-union:signcla
-mdb:chrome-git-admins                   			mdb/chrome-git-admins
-mdb:copybara-git-readers                			mdb/copybara-git-readers
-mdb:google-cla-gerrit-robot-accounts				mdb/google-cla-gerrit-robot-accounts
-mdb:webgpu-dawn-admin                   			mdb/webgpu-dawn-admin
-mdb:webgpu-tint-admin                   			mdb/webgpu-tint-admin
+mdb:chrome-git-admins                                         	mdb/chrome-git-admins
+mdb:copybara-git-readers                                      	mdb/copybara-git-readers
+mdb:google-cla-gerrit-robot-accounts                          	mdb/google-cla-gerrit-robot-accounts
+mdb:webgpu-dawn-admin                                         	mdb/webgpu-dawn-admin
+mdb:webgpu-tint-admin                                         	mdb/webgpu-tint-admin
diff --git a/project.config b/project.config
index b20662b..44ce4eb 100644
--- a/project.config
+++ b/project.config
@@ -5,13 +5,6 @@
 	requireSignedOffBy = false
 	requireChangeId = true
 	enableSignedPush = false
-[accounts]
-	sameGroupVisibility = deny group google/google-union:signcla
-[contributor-agreement "Google CLA"]
-	description = Google Contributor License Agreement
-	agreementUrl = static/cla.html
-	accepted = group google/google-union:signcla
-	accepted = group mdb/google-cla-gerrit-robot-accounts
 [submit]
 	mergeContent = true
 [access "refs/*"]
@@ -90,11 +83,20 @@
 [access "refs/for/refs/meta/config"]
 	push = group gerrit-submit-requirements-admins
 	read = group gerrit-submit-requirements-admins
+[accounts]
+	sameGroupVisibility = deny group google/google-union:signcla
+[contributor-agreement "Google CLA"]
+	description = Google Contributor License Agreement
+	agreementUrl = static/cla.html
+	accepted = group google/google-union:signcla
+	accepted = group mdb/google-cla-gerrit-robot-accounts
 [capability]
 	administrateServer = group mdb/chrome-git-admins
 	administrateServer = group mdb/webgpu-dawn-admin
 	gerrit-google-manageUsersGet = group mdb/copybara-git-readers
+	runAs = group gerrit-flows
 	viewAllAccounts = group dawn-scoped@luci-project-accounts.iam.gserviceaccount.com
+	viewAllAccounts = group gerrit-flows
 	viewAllAccounts = group mdb/copybara-git-readers
 	viewAllAccounts = group tint-scoped@luci-project-accounts.iam.gserviceaccount.com
 [plugin "jwtservice"]