Reduce admin access to openedx repos

[nedbat]

From Ed Zarecor:

A topic for our open source process group.

We regularly get requests from 2U teams for admin access to repositories. That level of access is problematic. For example, it allows folks to change who has access to a repo, or delete it.

Axim is on the hook for ensuring the CLA is enforced, so this represents risk for us.

I'd like to have a brief statement that we'll share when such requests are made. Here's my proposal:

https://docs.google.com/document/d/1mwDJ-F51s9KqY6ssifBBN9hbpRj-eXvDtphUNQqiULc/edit

In auditing current admin access I was surprised by how many 2U folks have it. 90 folks have admin on at least one repository.

Previously we had discussed the need for BOM to retain access for routine maintenance and emergencies. What would prevent us from reducing admin access to just the BOM teams immediately?

For non emergency changes, we would continue to use issues in the Axim Engineering project.

Looking forward to discussing.

[nedbat]

Just for clarity: "BOM teams" means arch-bom, arbi-bom and fed-bom?

[robrap]

On a related note, as a member of arch-bom, I had to work across a variety of repos and could not merge in at least two repos due to the following issues:

• feat: remove JWT_AUTH_REFRESH_COOKIE depr190 openedx/edx-notes-api#350
  • Required approval from openedx/content-aurora
• feat: remove JWT_AUTH_REFRESH_COOKIE depr190 openedx/enterprise-access#294
  • The base branch restricts merging to authorized users.

What are the resolutions for this?