Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

202408 proposal for reducing filecoin-project org ownership #61

Merged
merged 17 commits into from
Aug 30, 2024

Conversation

BigLep
Copy link
Member

@BigLep BigLep commented Aug 23, 2024

Message to those affected

@arden-sead
@dr-bizz
@filecoin-helper
@jbenet
@jmac-sead
@laurentsenta
@mishmosh
@momack2
@protocolin
@raulk
@Stebalien

You've been @mentioned because your filecoin-project github "org ownership" permissions are proposed for removal as part of #47 unless you respond back with your use-case for having these broad permissions by 2024-08-28. You will still be a member of the filecoin-project github org, retain your existing direct github repo permissions or team permissions, and be able to make permission requests through https://github.com/filecoin-project/github-mgmt.

The current plan is to merge this change on Wednesday, 2024-08-28 2024-09-04, if there are no blocking comments/feedback.

That said, this isn't a one-way door. If we got this wrong or you don't see the notification until after-the-fact, a new PR can be created to fix permissions.

Thanks and let me know if you have any questions or concerns.

Who is affected and how

Below is the textual summary of the changes. I'll keep it updated, if/as the code updates as well.

Retained org ownership (rationale is documented code):

Removed org ownership but are part of "github-mgmt Stewards" which effectively has the ability escalate to org ownership permissions (rationale is documented code):

Removed org ownership because have not been active in org administration the last 6 months[*]:

Removed org ownership because are part of sead, but haven't been active in administering the org and still have representation with masterwayne-admin[*]:

Removed org ownership event hough have been active in org administration because have representation with other FilOz team members:

Added org ownership given experience and diversifying representation:

Added to new github-mgmt-approvers team:

  • @rjan90 given project awareness often helping act on half of implementation tteam
  • @Stebalien given project awareness and experience with tooling
  • @willscott given experience with the tooling and diversifying representation

Added to the newly created security-managers team:
(This team will be given the security manager" role after being created as tracked in #47)

Added to the newly created moderators team:
(This team will be given the moderator role after being created as tracked in #47)

FAQ

Why are we removing so many owners, especially of longtime/foundational project members?

This is in no way meant to downplay the contribution of those affected who have been significant builders in shaping the project. Beyond the reasons listed in #47 , I'm suggesting remove folks because I view having these superpowers as a burden. Many of those removed haven't had filecoin-project github org activity in the last 6 months, and thus I assume they're not getting utility from carrying the burden. In addition, their accounts would be a prime account for attackers to go after, and this change reduces the blast radius in the unfortunate-I-never-hope-it-happens event that their accounts do get attacked.

My general mindset: Github org ownership permissions are very powerful, and they enable someone to do things in the UI without review that can have significant consequences. Reducing the ownership set to a small set of people helps ensure:

  1. more actions go through github-mgmt (which has review) and
  2. that the few humans who are doing things outside of github-mgmt are also the humans who live in the github tools more, thus potentially more aware of how to wield them safely. (This is sort of similar to how AWS service teams don't allow Management Console/UI access to any of the production accounts except in "break glass" scenarios where others are in the loop and handholding together.)

Why not remove all org owners?

I considered a larger extreme of effectively removing all org owners and then just relying on github-mgmt stewards to self-promote themselves to "org owner" when they need this (leaving a comment for why they need this and what conditions need to be met to be removed from the owner role). This seems like the safest thing to reduce the chance that org owners accidentally use their permissions in unintended ways (and reduces some of the potential blas radius if their account gets hacked - there would at least be a PR to github-mgmt that would show the escalation of permissions which may give someone the chance to react/respond.)

I sided against advocating for this because there are likely notifications that come through to owners that it would be risky to not have any human receiving.

Feedback welcome though if anyone thinks we should tighten further.

Why aren't more teams/groups represented on the "github-mgmt stewards" team?

FilOz and IDPX are well represented on that team (see code). The Filecoin Foundation now has representation. Many of those who lost org owner permissions have representation via "org owners" or the "githb-mgmt Stewards" team. More teams are not being proactively added to the list yet because:

  1. FilOz is guinea-pigging the process of ensuring that changes to the repos the maintain is done under code review and transparently. The hope/intent is to have other groups manage their repos in this way too if its successful.
  2. We are dependent on some tooling improvement to support a diverse set of stakeholders that have limited blast radius (see Support a diverse set of owners while limiting blast radius ipdxco/github-as-code#126 for more info).

A new "github-mgmt approvers" team was also created that has a wider pool of people who can approve (but not merge) PRs.

Reviewer's Checklist

  • It is clear where the request is coming from (if unsure, ask)
  • All the automated checks passed
  • The YAML changes reflect the summary of the request
  • The Terraform plan posted as a comment reflects the summary of the request

Additional notes

[*] Audit log dump from the last 6 months was done here.

@BigLep BigLep self-assigned this Aug 23, 2024
Copy link
Contributor

github-actions bot commented Aug 23, 2024

The following access changes will be introduced as a result of applying the plan:

Access Changes
User arajasek:
  - will lose admin permission to github-mgmt
User arden-sead:
  - will have the role in the organization change from admin to member
User autonome:
  - will lose push permission to github-mgmt
User dr-bizz:
  - will have the role in the organization change from admin to member
User filecoin-helper:
  - will have the role in the organization change from admin to member
User galargh:
  - will have the permission to github-mgmt change from admin to push
User jbenet:
  - will have the role in the organization change from admin to member
User jennijuju:
  - will have the permission to github-mgmt change from admin to push
User jmac-sead:
  - will have the role in the organization change from admin to member
User laurentsenta:
  - will have the role in the organization change from admin to member
User magik6k:
  - will have the role in the organization change from member to admin
User mastrwayne-admin:
  - will lose admin permission to github-mgmt
User mishmosh:
  - will have the role in the organization change from admin to member
User momack2:
  - will have the role in the organization change from admin to member
User mroth:
  - will lose push permission to github-mgmt
User protocolin:
  - will have the role in the organization change from admin to member
User raulk:
  - will have the role in the organization change from admin to member
User rjan90:
  - will gain triage permission to github-mgmt
User scotthconner:
  - will lose push permission to github-mgmt
User smagdali:
  - will gain push permission to github-mgmt
  - will have the role in the organization change from admin to member
User stebalien:
  - will gain triage permission to github-mgmt
  - will have the role in the organization change from admin to member
User willscott:
  - will gain triage permission to github-mgmt

Copy link
Contributor

github-actions bot commented Aug 23, 2024

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

filecoin-project

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # github_membership.this["arden-sead"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:arden-sead"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["dr-bizz"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:dr-bizz"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["filecoin-helper"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:filecoin-helper"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["jbenet"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:jbenet"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["jmac-sead"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:jmac-sead"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["laurentsenta"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:laurentsenta"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["magik6k"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:magik6k"
      ~ role     = "member" -> "admin"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["mishmosh"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:mishmosh"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["momack2"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:momack2"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["protocolin"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:protocolin"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["raulk"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:raulk"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["smagdali"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:smagdali"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["stebalien"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:Stebalien"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_repository_collaborator.this["github-mgmt:arajasek"] will be destroyed
  # (because key ["github-mgmt:arajasek"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:arajasek" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "arajasek" -> null
    }

  # github_repository_collaborator.this["github-mgmt:autonome"] will be destroyed
  # (because key ["github-mgmt:autonome"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:autonome" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "autonome" -> null
    }

  # github_repository_collaborator.this["github-mgmt:galargh"] will be destroyed
  # (because key ["github-mgmt:galargh"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:galargh" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "galargh" -> null
    }

  # github_repository_collaborator.this["github-mgmt:jennijuju"] will be destroyed
  # (because key ["github-mgmt:jennijuju"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:jennijuju" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "jennijuju" -> null
    }

  # github_repository_collaborator.this["github-mgmt:mastrwayne-admin"] will be destroyed
  # (because key ["github-mgmt:mastrwayne-admin"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:mastrwayne-admin" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "mastrwayne-admin" -> null
    }

  # github_repository_collaborator.this["github-mgmt:mroth"] will be destroyed
  # (because key ["github-mgmt:mroth"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:mroth" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "mroth" -> null
    }

  # github_repository_collaborator.this["github-mgmt:scotthconner"] will be destroyed
  # (because key ["github-mgmt:scotthconner"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:scotthconner" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "scotthconner" -> null
    }

  # github_repository_file.this["github-mgmt/codeowners"] will be destroyed
  # (because key ["github-mgmt/codeowners"] is not in for_each map)
  - resource "github_repository_file" "this" {
      - branch              = "master" -> null
      - commit_author       = "GitHub" -> null
      - commit_email        = "[email protected]" -> null
      - commit_message      = "chore: Update CODEOWNERS [skip ci]" -> null
      - commit_sha          = "4a7d5a43e4067126ebcf8c9e79f50f73049da0ef" -> null
      - content             = <<-EOT
            # The github-mgmt stewards team is responsible for triaging/reviewing configuration change requests
            /github/filecoin-project.yml @filecoin-project/github-mgmt-stewards
        EOT -> null
      - file                = "CODEOWNERS" -> null
      - id                  = "github-mgmt/CODEOWNERS" -> null
      - overwrite_on_create = false -> null
      - ref                 = "master" -> null
      - repository          = "github-mgmt" -> null
      - sha                 = "c163220dc5d6f1ef7de88fe50e64b1d8df411a26" -> null
    }

  # github_team.this["github-mgmt approvers"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Additional users beyong github-mgmt-stewards who can approve (but not merge) github-mgmt PRs"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "github-mgmt approvers"
      + node_id                   = (known after apply)
      + privacy                   = "closed"
      + slug                      = (known after apply)
    }

  # github_team.this["ipdx"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "ipdx.co team members"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "ipdx"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["moderators"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "This team has the Moderators role described in https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-moderators"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "moderators"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["security-managers"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "This team has the Security Manager role described in https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#security-managers"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "security-managers"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["github-mgmt approvers:rjan90"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "rjan90"
    }

  # github_team_membership.this["github-mgmt approvers:stebalien"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Stebalien"
    }

  # github_team_membership.this["github-mgmt approvers:willscott"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "willscott"
    }

  # github_team_membership.this["github-mgmt stewards:smagdali"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = "7326115"
      + username = "smagdali"
    }

  # github_team_membership.this["ipdx:galargh"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "galargh"
    }

  # github_team_membership.this["ipdx:laurentsenta"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "laurentsenta"
    }

  # github_team_membership.this["moderators:arden-sead"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "arden-sead"
    }

  # github_team_membership.this["moderators:dr-bizz"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "dr-bizz"
    }

  # github_team_membership.this["moderators:jmac-sead"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "jmac-sead"
    }

  # github_team_membership.this["moderators:mastrwayne-admin"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "mastrwayne-admin"
    }

  # github_team_membership.this["security-managers:parthshah1"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "parthshah1"
    }

  # github_team_membership.this["security-managers:relotnek"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "relotnek"
    }

  # github_team_membership.this["security-managers:smagdali"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "smagdali"
    }

  # github_team_repository.this["github-mgmt approvers:github-mgmt"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "triage"
      + repository = "github-mgmt"
      + team_id    = (known after apply)
    }

Plan: 18 to add, 13 to change, 8 to destroy.

@BigLep
Copy link
Member Author

BigLep commented Aug 23, 2024

Even before I get the ability to see https://github.com/organizations/filecoin-project/settings/audit-log, I'm still marking this as ready for review to give more time for feedback and comments.

I'm not expecting to have gotten this all right on try one, so the quicker I can get feedback the better for being able to close this out.

@BigLep BigLep marked this pull request as ready for review August 23, 2024 23:09
@BigLep
Copy link
Member Author

BigLep commented Aug 23, 2024

Per #47 , I have proposed a moderators and security-managers team and included that in the PR. The PR description has been updated to textually describe who has been affected.

@BigLep
Copy link
Member Author

BigLep commented Aug 26, 2024

I have org owner access and was able to check the audit log. This hasn't lead me to make any suggested changes based on the original recommendation.

How data was collected

Below is the dump from https://github.com/organizations/filecoin-project/settings/audit-log?q=created%3A%3E2024-02-25+action%3Aaccount.*+action%3Abilling.*+action%3Abusiness.*+action%3Aenterprise.*+action%3Aintegration_installation.create+action%3Aorg.*+action%3Apayment_method.*+action%3Ateam.*+-actor%3Afilecoin-project-mgmt-read-write%5Bbot%5D+-actor%3Acustom-gh-runners-by-ipdx-co-filoz%5Bbot%5D using filter created:>2024-02-25 action:account.* action:billing.* action:business.* action:enterprise.* action:integration_installation.create action:org.* action:payment_method.* action:team.* -actor:filecoin-project-mgmt-read-write[bot] -actor:custom-gh-runners-by-ipdx-co-filoz[bot] based on the actions listed in https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-the-action-performed .

I reduced the columns that are displayed and sorted using cat export-filecoin-project-*.csv| csvcut -c actor,action,repo,team,user,integration,@timestamp | csvsort -i -c actor,action,@timestamp | csvlook

Data dump
actor action repo team user integration @timestamp
anorth team.add_member filecoin-project/actors-maintainers masih 1,718,753,487,982
anorth team.destroy filecoin-project/actors-committers 1,718,753,721,829
anorth team.remove_member filecoin-project/actors-committers masih 1,718,753,510,795
anorth team.remove_member filecoin-project/actors-committers mb1896 1,718,753,528,831
anorth team.remove_repository filecoin-project/go-hamt-ipld actors-committers 1,718,753,721,927
anorth team.remove_repository filecoin-project/FIPs actors-committers 1,718,753,721,939
anorth team.remove_repository filecoin-project/go-amt-ipld actors-committers 1,718,753,721,947
anorth team.remove_repository filecoin-project/chain-validation actors-committers 1,718,753,721,954
anorth team.remove_repository filecoin-project/specs-actors actors-committers 1,718,753,721,962
anorth team.remove_repository filecoin-project/go-bitfield actors-committers 1,718,753,721,969
anorth team.remove_repository filecoin-project/go-state-types actors-committers 1,718,753,721,976
anorth team.remove_repository filecoin-project/core-devs actors-committers 1,718,753,721,983
anorth team.remove_repository filecoin-project/ent actors-committers 1,718,753,721,990
anorth team.remove_repository filecoin-project/builtin-actors actors-committers 1,718,753,721,997
aronchick team.destroy filecoin-project/bacalhau-team 1,716,578,310,793
BigLep integration_installation.create BuildPulse 1,721,157,293,557
dkkapur team.remove_member filecoin-project/data-programs xmcai2016 1,710,965,284,387
dkkapur team.remove_member filecoin-project/data-programs simonkim0515 1,710,965,284,520
dkkapur team.remove_member filecoin-project/data-programs raghavrmadya 1,710,965,284,658
dkkapur team.remove_member filecoin-project/data-programs kevzak 1,710,965,284,799
dnkolegov team.remove_member filecoin-project/labbers dnkolegov 1,713,297,080,782
dr-bizz integration_installation.create Fleek CI 1,723,825,373,053
dr-bizz org.add_outside_collaborator filecoin.io 1,714,578,584,397
dzmitrykliapkou org.add_outside_collaborator cmc-circulating-supply-fil-addresses 1,716,452,381,769
Filip-L org.add_outside_collaborator filplus-backend 1,716,210,206,403
filipagr org.add_outside_collaborator on-chain-voting 1,715,019,602,687
galargh org.audit_log_export 1,719,326,865,440
galargh org.create_actions_secret 1,710,266,762,957
galargh org.runner_group_updated 1,710,859,538,599
galargh org.runner_group_updated 1,712,672,731,010
galargh org.runner_group_updated 1,720,167,918,632
galargh org.runner_group_updated 1,722,982,480,367
gstraczek org.add_outside_collaborator filplus-registry 1,717,598,443,773
hexianglinss org.add_outside_collaborator on-chain-voting 1,714,440,203,925
honghaoq org.remove_member honghaoq 1,712,650,186,658
honghaoq team.remove_member filecoin-project/labbers honghaoq 1,712,650,186,990
honghaoq team.remove_member filecoin-project/fvm-team honghaoq 1,712,650,187,093
honghaoq team.remove_member filecoin-project/fvm-web honghaoq 1,712,650,187,195
Huang-Zexiang org.add_outside_collaborator on-chain-voting 1,714,439,397,183
jennijuju org.invite_member arajasek 1,712,965,773,201
jennijuju org.oauth_app_access_approved 1,724,388,750,512
jennijuju org.remove_member ognots 1,712,964,717,060
jennijuju org.remove_member arajasek 1,712,964,759,351
jennijuju team.add_member filecoin-project/actors-committers masih 1,709,203,078,847
jennijuju team.add_member filecoin-project/lotus-maintainers rjan90 1,709,547,211,463
jennijuju team.add_member filecoin-project/lotus-maintainers Kubuxu 1,713,113,881,074
jennijuju team.add_member filecoin-project/lotus-maintainers TippyFlitsUK 1,713,288,046,586
jennijuju team.add_member filecoin-project/actors-maintainers TippyFlitsUK 1,713,288,069,658
jennijuju team.add_member filecoin-project/filoz momack2 1,721,356,302,920
jennijuju team.add_repository filecoin-project/lotus-docs filecoin-project/lotus-contributors 1,710,244,663,400
jennijuju team.add_repository filecoin-project/accessible-hot-copy-storage filecoin-project/filoz 1,721,356,277,203
jennijuju team.add_repository filecoin-project/go-fil-commcid filecoin-project/filoz 1,722,475,557,246
jennijuju team.destroy filecoin-project/lotus-tse 1,710,244,583,079
jennijuju team.destroy filecoin-project/docs-writers 1,710,244,636,175
jennijuju team.remove_member filecoin-project/lotus-maintainers fridrik01 1,709,546,972,810
jennijuju team.remove_member filecoin-project/lotus-contributors Terryhung 1,709,547,109,346
jennijuju team.remove_member filecoin-project/dev-misc ognots 1,712,964,717,368
jennijuju team.remove_member filecoin-project/infra ognots 1,712,964,717,497
jennijuju team.remove_member filecoin-project/proj-mgmt ognots 1,712,964,717,620
jennijuju team.remove_member filecoin-project/sentinel-operators ognots 1,712,964,717,738
jennijuju team.remove_member filecoin-project/lotus-infra-core ognots 1,712,964,717,855
jennijuju team.remove_member filecoin-project/labbers arajasek 1,712,964,759,772
jennijuju team.remove_member filecoin-project/actors-maintainers arajasek 1,712,964,759,905
jennijuju team.remove_member filecoin-project/w3dt-stewards arajasek 1,712,964,760,035
jennijuju team.remove_member filecoin-project/venus arajasek 1,712,964,760,155
jennijuju team.remove_member filecoin-project/lotus-maintainers arajasek 1,712,964,760,266
jennijuju team.remove_member filecoin-project/fvm-team arajasek 1,712,964,760,378
jennijuju team.remove_member filecoin-project/fips-editors arajasek 1,712,964,760,508
jennijuju team.remove_member filecoin-project/fvm-crate-owners arajasek 1,712,964,760,620
jennijuju team.remove_member filecoin-project/fvm-core-devs arajasek 1,712,964,760,736
jennijuju team.remove_member filecoin-project/lotus-contributors arajasek 1,712,964,760,884
jennijuju team.remove_member filecoin-project/fvm-core-devs vmx 1,722,499,748,712
jennijuju team.remove_member filecoin-project/fvm-core-devs fridrik01 1,722,499,748,922
jennijuju team.remove_member filecoin-project/fvm-core-devs aakoshh 1,722,499,749,112
jennijuju team.remove_member filecoin-project/fvm-core-devs magik6k 1,722,499,749,264
jennijuju team.remove_member filecoin-project/fvm-core-devs maciejwitowski 1,722,499,749,430
jennijuju team.remove_member filecoin-project/fvm-core-devs cryptonemo 1,722,499,749,591
jennijuju team.remove_repository filecoin-project/lotus Lotus-TSE 1,710,244,583,154
jennijuju team.remove_repository filecoin-project/lotus-docs Lotus-TSE 1,710,244,583,164
jennijuju team.remove_repository filecoin-project/lotus-dcops Lotus-TSE 1,710,244,583,170
jennijuju team.remove_repository filecoin-project/boost Lotus-TSE 1,710,244,583,175
jennijuju team.remove_repository filecoin-project/testnet-hyperspace Lotus-TSE 1,710,244,583,180
jennijuju team.remove_repository filecoin-project/lotus-docs docs-writers 1,710,244,636,241
jennijuju team.remove_repository filecoin-project/fvm-starter-kit-deal-making docs-writers 1,710,244,636,251
jennijuju team.remove_repository filecoin-project/lotus-infra filecoin-project/actors-maintainers 1,718,627,778,769
jennijuju team.remove_repository filecoin-project/lotus-infra filecoin-project/infra 1,718,627,788,954
jennijuju team.remove_repository filecoin-project/lotus-infra filecoin-project/proofs 1,718,627,811,782
jennijuju team.update_repository_permission filecoin-project/lotus filecoin-project/lotus-contributors jennijuju 1,709,547,124,176
jennijuju team.update_repository_permission filecoin-project/lotus filecoin-project/lotus-contributors jennijuju 1,709,547,575,877
jennijuju team.update_repository_permission filecoin-project/go-jsonrpc filecoin-project/lotus-maintainers jennijuju 1,716,420,971,730
jmac-sead integration_installation.create Datacap Bot 1,719,324,280,393
jmac-sead org.add_member arden-sead 1,714,056,485,415
jmac-sead org.add_member XORS-eng 1,718,899,620,989
jmac-sead org.add_member rk-rishikesh 1,718,900,049,773
jmac-sead org.add_member xBalbinus 1,718,948,801,592
jmac-sead org.invite_member arden-sead 1,714,056,265,764
jmac-sead org.invite_member rk-rishikesh 1,718,899,471,237
jmac-sead org.invite_member XORS-eng 1,718,899,495,349
jmac-sead org.invite_member xBalbinus 1,718,905,778,061
jmac-sead org.update_member arden-sead 1,714,056,510,521
jmac-sead team.add_member filecoin-project/fil-b jmac-sead 1,718,905,540,844
jmac-sead team.add_member filecoin-project/fil-b trruckerfling 1,718,905,557,683
jmac-sead team.add_member filecoin-project/fil-b snissn 1,718,905,613,345
jmac-sead team.add_member filecoin-project/fil-b rk-rishikesh 1,718,905,634,999
jmac-sead team.add_member filecoin-project/fil-b XORS-eng 1,718,905,652,411
jmac-sead team.add_member filecoin-project/fil-b longfeiWan9 1,718,905,678,238
jmac-sead team.add_member filecoin-project/fil-b xBalbinus 1,718,948,802,028
jmac-sead team.add_repository filecoin-project/fevm-hardhat-kit filecoin-project/fil-b 1,721,751,254,241
jmac-sead team.add_repository filecoin-project/raas-starter-kit filecoin-project/fil-b 1,721,751,281,517
jmac-sead team.add_repository filecoin-project/state-storage-starter-kit filecoin-project/fil-b 1,721,751,309,212
jmac-sead team.add_repository filecoin-project/fvm-starter-kit-deal-making filecoin-project/fil-b 1,721,751,335,390
jmac-sead team.add_repository filecoin-project/fevm-foundry-kit filecoin-project/fil-b 1,721,751,359,347
jmac-sead team.create filecoin-project/fil-b jmac-sead 1,718,905,540,729
jmac-sead team.promote_maintainer filecoin-project/fil-b trruckerfling 1,718,905,580,901
jmac-sead team.remove_member filecoin-project/fil-b jmac-sead 1,718,905,710,448
jochasinga org.add_outside_collaborator filecoin-docs 1,715,702,372,541
kacperzuk-neti org.add_outside_collaborator filplus-backend 1,715,792,248,821
kkarrancsu org.add_outside_collaborator builtin-actors 1,719,269,029,175
LexLuthr team.add_member filecoin-project/boost magik6k 1,709,826,709,000
LexLuthr team.add_member filecoin-project/boost snadrus 1,709,826,726,539
LexLuthr team.add_member filecoin-project/boost Reiers 1,709,827,359,367
LexLuthr team.update_repository_permission filecoin-project/boost-gfm filecoin-project/boost LexLuthr 1,709,826,977,108
LexLuthr team.update_repository_permission filecoin-project/boost-graphsync filecoin-project/boost LexLuthr 1,709,826,980,380
LexLuthr team.update_repository_permission filecoin-project/lid-benchmarks filecoin-project/boost LexLuthr 1,709,826,986,358
LexLuthr team.update_repository_permission filecoin-project/boost-gfm filecoin-project/boost LexLuthr 1,709,827,005,079
LexLuthr team.update_repository_permission filecoin-project/boost-graphsync filecoin-project/boost LexLuthr 1,709,827,007,159
LexLuthr team.update_repository_permission filecoin-project/lid-benchmarks filecoin-project/boost LexLuthr 1,709,827,583,851
liuzeming1 org.add_outside_collaborator on-chain-voting 1,715,132,158,742
lukasz-wal org.add_outside_collaborator filplus-ssa-bot 1,719,236,757,434
magik6k team.add_member filecoin-project/curio magik6k 1,716,545,989,714
magik6k team.add_member filecoin-project/curio Reiers 1,716,546,026,883
magik6k team.add_member filecoin-project/curio snadrus 1,716,546,073,018
magik6k team.add_member filecoin-project/curio LexLuthr 1,716,546,098,005
magik6k team.add_repository filecoin-project/curio filecoin-project/curio 1,716,546,203,642
magik6k team.create filecoin-project/curio magik6k 1,716,545,989,457
magik6k team.promote_maintainer filecoin-project/curio magik6k 1,716,545,989,970
magik6k team.promote_maintainer filecoin-project/curio snadrus 1,716,546,160,634
magik6k team.update_repository_permission filecoin-project/curio filecoin-project/curio magik6k 1,716,546,222,313
masih team.add_repository filecoin-project/f3-passive-testing filecoin-project/filoz 1,720,090,124,923
mastrwayne-admin account.plan_change 1,717,763,631,641
mastrwayne-admin org.add_member jmac-sead 1,709,326,687,018
mastrwayne-admin org.add_member dr-bizz 1,717,764,276,074
mastrwayne-admin org.add_member YuliiaFilecoin 1,718,131,807,219
mastrwayne-admin org.cancel_invitation dr-bizz 1,717,763,622,777
mastrwayne-admin org.invite_member jmac-sead 1,709,325,648,469
mastrwayne-admin org.invite_member dr-bizz 1,716,381,951,486
mastrwayne-admin org.invite_member dr-bizz 1,717,763,623,429
mastrwayne-admin org.invite_member YuliiaFilecoin 1,718,129,118,860
mastrwayne-admin org.remove_member andyschwab-admin 1,714,403,384,791
mastrwayne-admin org.update_member vesahc 1,709,916,175,279
mastrwayne-admin org.update_member smagdali 1,711,457,392,214
mastrwayne-admin payment_method.update 1,710,265,032,884
meandavejustice org.add_outside_collaborator filsnap 1,709,053,970,896
momack2 team.add_member filecoin-project/website protocolin 1,712,808,324,241
momack2 team.remove_repository filecoin-project/filecoin.io filecoin-project/infra 1,712,807,992,943
momack2 team.remove_repository filecoin-project/filecoin.io filecoin-project/product-biz 1,712,808,351,881
momack2 team.update_repository_permission filecoin-project/filecoin.io filecoin-project/labbers momack2 1,712,808,194,248
momack2 team.update_repository_permission alanshaw/website-new filecoin-project/labbers momack2 1,712,808,194,733
momack2 team.update_repository_permission dkkapur/website-new filecoin-project/labbers momack2 1,712,808,194,796
momack2 team.update_repository_permission olizilla/website-new filecoin-project/labbers momack2 1,712,808,194,856
momack2 team.update_repository_permission davidd8/website-new filecoin-project/labbers momack2 1,712,808,194,916
mor9x00 org.add_outside_collaborator on-chain-voting 1,715,150,063,289
NemanjaLu92 org.add_outside_collaborator builtin-actors 1,718,788,277,969
raulk team.remove_member filecoin-project/fips-editors raulk 1,710,438,045,783
rvagg org.oauth_app_access_requested 1,724,388,498,720
Schwartz10 org.add_outside_collaborator go-crypto 1,713,917,349,697
SgtCoin org.remove_member SgtCoin 1,710,038,817,019
SgtCoin team.remove_member filecoin-project/collab-ff-seo-ux SgtCoin 1,710,038,692,060
SgtCoin team.remove_member filecoin-project/docs-storage-provider SgtCoin 1,710,038,705,047
smagdali org.add_member jochasinga 1,721,934,526,908
smagdali org.add_member robertagora 1,723,749,254,241
smagdali org.cancel_invitation robertagora 1,721,931,606,580
smagdali org.cancel_invitation robertagora 1,723,749,236,666
smagdali org.invite_member robertagora 1,721,931,607,225
smagdali org.invite_member jochasinga 1,721,932,353,333
smagdali org.invite_member robertagora 1,723,749,237,253
snadrus team.add_repository filecoin-project/apt filecoin-project/curio 1,718,136,084,142
starboard-devops org.add_outside_collaborator lily 1,709,085,684,123
Stebalien org.block_user 1,724,693,626,425
Stebalien team.add_member filecoin-project/lotus-maintainers rvagg 1,712,185,153,684
Stebalien team.add_member filecoin-project/lotus-maintainers masih 1,712,185,177,935
Stebalien team.add_repository filecoin-project/go-clock filecoin-project/lotus-maintainers 1,720,947,978,529
tancehao org.add_outside_collaborator lily 1,712,111,863,823
TippyFlitsUK team.add_member filecoin-project/filoz TippyFlitsUK 1,713,286,495,408
TippyFlitsUK team.add_member filecoin-project/filoz jennijuju 1,713,286,802,111
TippyFlitsUK team.add_member filecoin-project/filoz masih 1,713,286,819,580
TippyFlitsUK team.add_member filecoin-project/filoz Stebalien 1,713,286,842,636
TippyFlitsUK team.add_member filecoin-project/filoz rjan90 1,713,286,858,112
TippyFlitsUK team.add_member filecoin-project/filoz ZenGround0 1,713,286,891,437
TippyFlitsUK team.add_member filecoin-project/filoz aarshkshah1992 1,713,286,911,898
TippyFlitsUK team.add_member filecoin-project/filoz Kubuxu 1,713,286,929,005
TippyFlitsUK team.add_member filecoin-project/filoz rvagg 1,713,286,946,196
TippyFlitsUK team.add_member filecoin-project/filoz anorth 1,713,286,956,103
TippyFlitsUK team.add_member filecoin-project/filoz irenegia 1,713,287,043,495
TippyFlitsUK team.add_member filecoin-project/filoz lucaniz 1,713,287,061,476
TippyFlitsUK team.add_member filecoin-project/filoz nicola 1,713,287,081,161
TippyFlitsUK team.create filecoin-project/filoz TippyFlitsUK 1,713,286,495,264
TippyFlitsUK team.promote_maintainer filecoin-project/filoz TippyFlitsUK 1,713,286,495,500
tplocic20 org.add_outside_collaborator filplus-registry 1,721,375,091,914
vesahc account.plan_change 1,708,934,401,582
vesahc org.invite_member robertagora 1,708,969,187,306
web3jenks org.remove_member web3jenks 1,723,182,586,510
web3jenks team.remove_member filecoin-project/advocates web3jenks 1,723,182,586,932
willpan1102 org.add_outside_collaborator on-chain-voting 1,714,395,275,023
ychiaoli18 org.remove_member ychiaoli18 1,709,443,319,222
ychiaoli18 team.remove_member filecoin-project/fvm-core-devs ychiaoli18 1,709,443,319,592
ychiaoli18 team.remove_member filecoin-project/lotus-contributors ychiaoli18 1,709,443,319,698
ygy-1231 org.add_outside_collaborator on-chain-voting 1,723,514,279,109
yukixu007 org.add_outside_collaborator on-chain-voting 1,715,131,371,784
org.remove_outside_collaborator huseyincansoylu 1,721,156,482,953

CODEOWNERS Outdated Show resolved Hide resolved
@Stebalien
Copy link
Member

Is there any way to make this into a two-key system? I.e.:

  1. Require two approvals from code owners to merge changes to this repo. Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.
  2. Add more code owners (i.e., not just two).

That way we have no single point of failure?

@@ -1,2 +1,6 @@
# The ipdx team is responsible for GitHub Management maintenance (at least through 2024)
* @filecoin-project/ipdx
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But do they need immediate write access to this repo? IMO, any changes should go through our team (I'm mostly concerned about them already being a massive target).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, that only comes in handy when we have to resolve some issue with the project setup, but we can deal with that on a case-by-case basis.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Stebalien:

But do they need immediate write access to this repo?

To be clear, this isn't giving them permission (see discussion about the role of codeowners in thie repo here).

The whole of this file is affectively saying that ipdx is needed for any changes made outside https://github.com/filecoin-project/github-mgmt/blob/master/github/filecoin-project.yml . I think that is good. If anyone is making github-mgmt setup changes (which happens in the directories outside of filecoin-project/github-mgmt/github, then they should be engaged.)

(No further action planned by here, but feedback/ideas welcome.)

I'm mostly concerned about them already being a massive target

Fair. To be clear on this, the ipdx team as a whole doesn't have write access to this repo or any other I don't think. @galargh individually is an org owner/admin and part of github-mgmt-stewards (according to this proposed PR), so I agree he's a big target (as are the other couple of owners - which is why I'm trying to limit that set of people).

Potential action: remove @galargh from being a org owner or github-mgmt steward and replace him with someone else. I didn't opt for that in this proposal/PR because I think the risk of his account being compromised is outweighed by if crap-hits-the-fan that we have someone observant, skilled, and knowledgable with github tools take action. I'm happy to change course though.

@galargh
Copy link
Contributor

galargh commented Aug 27, 2024

Is there any way to make this into a two-key system? I.e.:

  1. Require two approvals from code owners to merge changes to this repo. Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.
  2. Add more code owners (i.e., not just two).

That way we have no single point of failure?

It would be the easiest to just require 2 approvals - it's as easy as changing a setting in branch protection rules. We can also require reviews from CODEOWNERS.

@smagdali
Copy link
Member

I'm good with my personal permissions being reduced, but I think it still makes sense for someone from the Foundation to be an owner? I'll defer to @relotnek , but we should probably also include Baldy in the security-managers.

@BigLep
Copy link
Member Author

BigLep commented Aug 27, 2024

I'll work on responding to the feedback in approximately an hour.

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

@smagdali
Copy link
Member

can we add @relotnek and @parthshah1 to this discussion?

@BigLep
Copy link
Member Author

BigLep commented Aug 27, 2024

@Stebalien: responding to comments above...

Role of CODEOWNERS in this repo

I know you weren't asking about this, but to be clear, the reason we have a CODEOWNERS in this repo is so those folks get added to all PRs in the repo as required reviewers. This serves two purposes:

  1. Notify the CODEOWNERS automatically
  2. Enforcement via branch protection rule to ensure get an approval from a CODEOWNER.

(I didn't realize we didn't have "Require review from Code Owners" enabled for this repo. I have enabled it manually through the UI since this isn't showing up in github-mgmt currently. I put a screenshot below of the branch protection rule UI for master now after my change.)

Add more code owners (i.e., not just two).

The current CODEOWNERS has two teams (github-mgmt-stewards and ipdx) which both have multiple people behind them. Are you worried we only have two teams, or that we don't have enough people behind those teams?

Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.

There unfortunately isn't an out-of-the-box way to require 2 approvals by default, but only 1 if the author is a CODEOWNER. There are various threads about this online, but I think https://github.com/orgs/community/discussions/84831 most sucinctly describes the issue. It also outlines potential steps one could take to build more smarts with GitHub Actions.

Require two approvals from code owners to merge changes to this repo.

Given the limitation above, I'm weary of requiring two approvals until we create the smarter approval/enforcement flow.

Another option would be to create a new team: github-mgmt-reviewers . This group could have non-write/push access and thus we'd be more comfortable adding more people to it (e.g., more folks from FF, FilOz, ChainSafe, SEAD) and then increase the number of approvers to two. Merging would still be restricted to the github-mgmt-stewards group, who is expected to have good judgement and be versed in the tool.


I'm happy to create (and action) backlog items for the ideas above. I'm thinking not to block this PR on them though since this isn't a one-way door, and we can also observe in practice how important these extra/smarter approval levels are. (Devil's advocate: wait-and-see may not be smart as you may have already had a major event/compromise.)


github.com_filecoin-project_github-mgmt_settings_branch_protection_rules_33884610

@BigLep
Copy link
Member Author

BigLep commented Aug 27, 2024

@smagdali:

I think it still makes sense for someone from the Foundation to be an owner.

Ok, I'm personally not hard-opposed, but what value add do you see here vs. the few people that are now proposed? With the proposal here, we've got a few people who will see notifications and can bypass this whole github-mgmt system if necessary. As part of github-mgmt stewards, you can also escalate your permissions to an owner if needed.

Anyways, if you still think its good for FF to have direct owner representation, let me know. I assume I should just add you back.

we should probably also include Baldy in the security-managers

Sure. I don't know their login though. Do you want to add a github suggestion so I can commit it (or put it here)? (I won't plan on blocking the merge for this though - you/they/we can always do a followup with it.)

can we add @relotnek and @parthshah1 to this discussion?

Sure. This PR is public. They can comment at will, and they were @mentioned in the original PR description, so should have been receiving notifications.

@BigLep BigLep requested a review from a team as a code owner August 27, 2024 19:23
@BigLep
Copy link
Member Author

BigLep commented Aug 27, 2024

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

It looks like their ignored resources as defined in https://github.com/filecoin-project/github-mgmt/blob/master/terraform/resources_override.tf . I think we should do a separate PR after this with any additional resources we want to synchronize as this will bring in a lot of changes. From this PR, two things I wish had been accessible via github-mgmt were repo branch protection rules and team visibility.

@BigLep
Copy link
Member Author

BigLep commented Aug 27, 2024

2024-08-27 status:

  • I've responded to all comments at this point.
  • No hard-nos or major-changes suggested but also no approvals yet either.
  • If approvals come in today or tomorrow (2024-08-28), I'll plan on merging 2024-08-28. Otherwise I'll work through any new feedback that comes in and seek approvers.

@BigLep BigLep mentioned this pull request Aug 28, 2024
4 tasks
@galargh
Copy link
Contributor

galargh commented Aug 28, 2024

I'll work on responding to the feedback in approximately an hour.

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

https://github.com/filecoin-project/github-mgmt/blob/master/docs/HOWTOS.md#start-managing-new-resource-type-with-github-management

The resource is github_branch_protection. And you can manage which properties of the resource are ignored via - https://github.com/filecoin-project/github-mgmt/blob/master/terraform/resources_override.tf#L30

BigLep added 3 commits August 28, 2024 12:01
Made Magik owner
Extended BigLep owner's term
Added willscott as github-mgmt-steward
@anorth
Copy link
Member

anorth commented Aug 28, 2024

The intentions etc all seem fine to me. I still see GitHub complaining about the reference to filecoin-project/ipdx, which doesn't exist. I assume this is ok because after this PR merges the team will exist.

For reference:
Screenshot 2024-08-29 at 7 41 17 AM

@BigLep
Copy link
Member Author

BigLep commented Aug 28, 2024

2024-08-28 update: I have pushed some commits that have done the following:

  1. Broaden and diversify the org ownership a bit more. This was done by:
  1. Created a github-mgmt-approvers team with:
  • @rjan90
  • @Stebalien
  • @willscott
    This team has triage permission to the repo and are also CODEOWNERS. This helps widen the net of people who will get automatically notified about changes and can give approval.

The rationale for these people is in the PR.

The main item that isn't fully addressed here is increasing the reviewer/approval required approvers to 2 approvers (ideally with smart branch protection to only require 1 reviewer if the author is also a CODEOWNER). This topic was covered more in comment above. I have a backlog item to get the "smart" branch protection in place before increasing the number of approvers: #65

In terms of next steps:

  1. Give more time for this to be reviewed and collect feedback
  2. Merge this next week, Wednesday, 2024-09-04, if no major feedback (and assuming get approval)
  3. Tackle Require 2 approvals with "smart" branch protection #65

I believe I have updated the issue description accordingly as well.

@BigLep
Copy link
Member Author

BigLep commented Aug 28, 2024

I still see GitHub complaining about the reference to filecoin-project/ipdx, which doesn't exist. I assume this is ok because after this PR merges the team will exist

Yeah, that's right @anorth . Thanks for reviewing. I also pushed some additional changes per #61 (comment)

@willscott
Copy link

I'm okay being a github-mgmt reviewer for this org

@relotnek
Copy link
Contributor

I'm good with my personal permissions being reduced, but I think it still makes sense for someone from the Foundation to be an owner? I'll defer to @relotnek , but we should probably also include Baldy in the security-managers.

At a minimum we should have Baldy for operational management / billing related items, and I think it would be good to note who else is performing those duties within the org

@jennijuju
Copy link
Member

At a minimum we should have Baldy for operational management / billing related items, and I think it would be good to note who else is performing those duties within the org

IIUC this integration is more about org repo perm management, less about billing like admin operations and so on. If you can provide a description of baldly like bigleps did in his PR, we may evaluate it then.

@jennijuju
Copy link
Member

Further changes can be proposed via new PRs

@jennijuju jennijuju merged commit 4020273 into master Aug 30, 2024
6 checks passed
@BigLep
Copy link
Member Author

BigLep commented Sep 5, 2024

This got merged while I was out. No objections from me. It does mean that I didn't get to #65 beforehand. I have that on my personal backlog. At this point, I'm going to wait and see how much we wish we had this over the next month before spending time on it. Please flag if you think we need it sooner.

I'll now turn to the followup tasks in #47

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: ☑️ Done (Archive)
Development

Successfully merging this pull request may close these issues.

8 participants