Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup permissions for shipyard maintained repos #211

Merged
merged 26 commits into from
Nov 5, 2024

Conversation

aschmahmann
Copy link
Contributor

Summary

This is a general cleanup of permissions across a number of repos that Shipyard maintains, also adds a shipyard team. The general forms of the changes look like:

  • Remove individuals in exchange for teams
  • Replace w3dt-stewards access with shipyard access (generally with shipyard having maintain rather than admin unless the repo already had lots of individually added admins, although even there we could probably reduce permissions more)
  • Removed the github-mgmt stewards groups pull permissions since those don't seem necessary (pull generally seems not that useful in public repos, and there's nothing special for the github-mgmt stewards to need there that they won't have elsewhere via org permissions)
  • Reduced some users' permissions who haven't made commits in a while (but happy to restore if they're interested)

Why do you need this?

Overall the number of admins in these repos seems much higher than necessary, especially given the ability to escalate via github-mgmt if needed. For repos shipyard maintains I'd like permissions scoped down where possible. This seems like the easiest cleanup although I wouldn't be surprised if we want to shrink permissions more and/or look at more repos than just the ones I've covered here.

What else do we need to know?

TODO: tag people with permission reductions once CI generates the list

DRI: myself

Reviewer's Checklist

  • It is clear where the request is coming from (if unsure, ask)
  • All the automated checks passed
  • The YAML changes reflect the summary of the request
  • The Terraform plan posted as a comment reflects the summary of the request

@aschmahmann aschmahmann requested review from a team as code owners August 20, 2024 18:43
Copy link
Contributor

github-actions bot commented Aug 20, 2024

The following access changes will be introduced as a result of applying the plan:

Access Changes
User 2color:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
User aarshkshah1992:
  - will have the permission to boxo change from maintain to push
User achingbrain:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to service-worker-gateway change from pull to admin
  - will have the permission to someguy change from admin to maintain
User adlrocha:
  - will have the permission to boxo change from maintain to push
User alanshaw:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User anorth:
  - will have the permission to boxo change from maintain to push
User arajasek:
  - will lose admin permission to boxo
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User aschmahmann:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-cli change from pull to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-http-gateway change from pull to maintain
  - will have the permission to helia-remote-pinning change from pull to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
User daviddias:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User dennis-tra:
  - will lose push permission to kubo
User dignifiedquire:
  - will have the permission to boxo change from maintain to push
User dirkmc:
  - will have the permission to boxo change from maintain to push
User frrist:
  - will have the permission to boxo change from maintain to push
User galargh:
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
User gammazero:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
  - will gain admin permission to service-worker-gateway
User gmasgras:
  - will have the permission to boxo change from maintain to push
User guillaumemichel:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
  - will gain admin permission to service-worker-gateway
User guseggert:
  - will have the permission to boxo change from maintain to push
User hacdias:
  - will have the permission to boxo change from maintain to push
User hannahhoward:
  - will have the permission to boxo change from maintain to push
User hsanjuan:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User iand:
  - will have the permission to boxo change from maintain to push
User ischasny:
  - will have the permission to boxo change from maintain to push
User jacobheun:
  - will have the permission to boxo change from maintain to push
User jbenet:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User jorropo:
  - will have the permission to boxo change from admin to push
  - will lose admin permission to helia
  - will lose admin permission to helia-delegated-routing-v1-http-api
  - will lose admin permission to helia-verified-fetch
  - will lose admin permission to ipfs-check
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User kubuxu:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User laurentsenta:
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
User lidel:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-cli change from push to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-http-gateway change from pull to maintain
  - will have the permission to helia-remote-pinning change from pull to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
User magik6k:
  - will have the permission to boxo change from maintain to push
User marcopolo:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
User marten-seemann:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User masih:
  - will have the permission to boxo change from maintain to push
User mishmosh:
  - will lose pull permission to boxo
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will lose pull permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose pull permission to someguy
User momack2:
  - will lose admin permission to boxo
  - will have the permission to kubo change from admin to pull
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User olizilla:
  - will lose admin permission to boxo
  - will have the permission to kubo change from admin to pull
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User petar:
  - will have the permission to boxo change from maintain to push
User raulk:
  - will have the permission to boxo change from maintain to push
User ribasushi:
  - will have the permission to boxo change from maintain to push
User rvagg:
  - will have the permission to boxo change from maintain to push
User sgtpooki:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
User stebalien:
  - will have the permission to boxo change from admin to push
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose admin permission to someguy
User travisperson:
  - will have the permission to boxo change from maintain to push
User vyzo:
  - will have the permission to boxo change from maintain to push
User warpfork:
  - will have the permission to boxo change from maintain to push
User whizzzkid:
  - will lose admin permission to helia
  - will lose admin permission to helia-cli
  - will lose admin permission to helia-delegated-routing-v1-http-api
  - will lose admin permission to helia-http-gateway
  - will lose admin permission to helia-remote-pinning
  - will lose admin permission to helia-verified-fetch
  - will lose pull permission to service-worker-gateway
User whyrusleeping:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User willscott:
  - will have the permission to boxo change from maintain to push
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will lose pull permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose pull permission to someguy

Copy link
Contributor

github-actions bot commented Aug 20, 2024

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

ipfs

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # github_branch_protection.this["kubo:bifrost-*"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMjEwNDk3MDM="
      ~ push_restrictions               = [
          - "/aschmahmann",
          - "/gmasgras",
          - "/thattommyhall",
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_branch_protection.this["kubo:feat/stabilize-dht"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTUwNDUxNjk="
      ~ push_restrictions               = [
          - "/aschmahmann",
          - "/gmasgras",
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_branch_protection.this["kubo:master"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMjI5MDgxMA=="
      ~ push_restrictions               = [
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # github_branch_protection.this["kubo:release"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlNjU3MzY4"
      ~ push_restrictions               = [
          - "/Jorropo",
          - "/Stebalien",
          - "/aschmahmann",
          - "/hacdias",
          - "/whyrusleeping",
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # github_branch_protection.this["kubo:release-*"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTU2NzQyNTc="
      ~ push_restrictions               = [
          - "/Stebalien",
          - "/aschmahmann",
          - "/hsanjuan",
          - "/whyrusleeping",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_repository_collaborator.this["helia-cli:achingbrain"] will be destroyed
  # (because key ["helia-cli:achingbrain"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-cli:achingbrain" -> null
      - permission = "admin" -> null
      - repository = "helia-cli" -> null
      - username   = "achingbrain" -> null
    }

  # github_repository_collaborator.this["helia-delegated-routing-v1-http-api:achingbrain"] will be destroyed
  # (because key ["helia-delegated-routing-v1-http-api:achingbrain"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-delegated-routing-v1-http-api:achingbrain" -> null
      - permission = "admin" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - username   = "achingbrain" -> null
    }

  # github_repository_collaborator.this["helia-http-gateway:sgtpooki"] will be destroyed
  # (because key ["helia-http-gateway:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-http-gateway:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "helia-http-gateway" -> null
      - username   = "SgtPooki" -> null
    }

  # github_repository_collaborator.this["helia-http-gateway:whizzzkid"] will be destroyed
  # (because key ["helia-http-gateway:whizzzkid"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-http-gateway:whizzzkid" -> null
      - permission = "admin" -> null
      - repository = "helia-http-gateway" -> null
      - username   = "whizzzkid" -> null
    }

  # github_repository_collaborator.this["helia-remote-pinning:sgtpooki"] will be destroyed
  # (because key ["helia-remote-pinning:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-remote-pinning:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "helia-remote-pinning" -> null
      - username   = "SgtPooki" -> null
    }

  # github_repository_collaborator.this["kubo:dennis-tra"] will be destroyed
  # (because key ["kubo:dennis-tra"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "kubo:dennis-tra" -> null
      - permission = "push" -> null
      - repository = "kubo" -> null
      - username   = "dennis-tra" -> null
    }

  # github_repository_collaborator.this["kubo:lidel"] will be destroyed
  # (because key ["kubo:lidel"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "kubo:lidel" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - username   = "lidel" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:2color"] will be destroyed
  # (because key ["service-worker-gateway:2color"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:2color" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "2color" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:aschmahmann"] will be destroyed
  # (because key ["service-worker-gateway:aschmahmann"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:aschmahmann" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "aschmahmann" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:lidel"] will be destroyed
  # (because key ["service-worker-gateway:lidel"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:lidel" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "lidel" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:marcopolo"] will be destroyed
  # (because key ["service-worker-gateway:marcopolo"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:MarcoPolo" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "MarcoPolo" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:sgtpooki"] will be destroyed
  # (because key ["service-worker-gateway:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "SgtPooki" -> null
    }

  # github_team.this["shipyard"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Members of Interplanetary Shipyard who work with or on IPFS"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "shipyard"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["helia-dev:whizzzkid"] will be destroyed
  # (because key ["helia-dev:whizzzkid"] is not in for_each map)
  - resource "github_team_membership" "this" {
      - etag     = "W/\"514ee7e287d3fbdd9db2bdd6e910901c00128509a16b902e6b8a865071edf668\"" -> null
      - id       = "7676419:whizzzkid" -> null
      - role     = "member" -> null
      - team_id  = "7676419" -> null
      - username = "whizzzkid" -> null
    }

  # github_team_membership.this["kubo maintainers:jorropo"] will be destroyed
  # (because key ["kubo maintainers:jorropo"] is not in for_each map)
  - resource "github_team_membership" "this" {
      - etag     = "W/\"7a6fe0a037fb738e9e60b8b4d95c9370051249b77efd1cf8cf5f1816b2cef469\"" -> null
      - id       = "6744049:Jorropo" -> null
      - role     = "member" -> null
      - team_id  = "6744049" -> null
      - username = "Jorropo" -> null
    }

  # github_team_membership.this["shipyard:2color"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "2color"
    }

  # github_team_membership.this["shipyard:achingbrain"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "achingbrain"
    }

  # github_team_membership.this["shipyard:aschmahmann"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "aschmahmann"
    }

  # github_team_membership.this["shipyard:gammazero"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "gammazero"
    }

  # github_team_membership.this["shipyard:guillaumemichel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "guillaumemichel"
    }

  # github_team_membership.this["shipyard:lidel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "lidel"
    }

  # github_team_membership.this["shipyard:marcopolo"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "MarcoPolo"
    }

  # github_team_membership.this["shipyard:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_repository.this["admin:boxo"] will be destroyed
  # (because key ["admin:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"eab881d3a54b24924fde0a9c96032c40c8d5cc24022758538a6b86fb94d08780\"" -> null
      - id         = "1516991:boxo" -> null
      - permission = "admin" -> null
      - repository = "boxo" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:kubo"] will be destroyed
  # (because key ["admin:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "1516991:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:rainbow"] will be destroyed
  # (because key ["admin:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "1516991:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:someguy"] will be destroyed
  # (because key ["admin:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9f2c6844cde3235fa865c116893ef5c32ee72f054defdb0060c1d00ef9b22fa1\"" -> null
      - id         = "1516991:someguy" -> null
      - permission = "admin" -> null
      - repository = "someguy" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["github-mgmt stewards:boxo"] will be destroyed
  # (because key ["github-mgmt stewards:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"0d41abb65286530eed1b1163c333c79063c2e541205e3db46a9ea8aa9c1223c7\"" -> null
      - id         = "6421993:boxo" -> null
      - permission = "pull" -> null
      - repository = "boxo" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia"] will be destroyed
  # (because key ["github-mgmt stewards:helia"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"52744c7c0a700b5b393cb2d8ee1bcfa0ae7476fc83c9e8afc2b639ae6e5bfa7c\"" -> null
      - id         = "6421993:helia" -> null
      - permission = "pull" -> null
      - repository = "helia" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-cli"] will be destroyed
  # (because key ["github-mgmt stewards:helia-cli"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"2b53781f1925d641aafa8e09685dea4cd2426249c5e784f2d8ff34c87d0cbaf7\"" -> null
      - id         = "6421993:helia-cli" -> null
      - permission = "pull" -> null
      - repository = "helia-cli" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-delegated-routing-v1-http-api"] will be destroyed
  # (because key ["github-mgmt stewards:helia-delegated-routing-v1-http-api"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"1141eb50efef2c76f90bf9b033f02352b9b98affc80238fbb04dfe6108d312f0\"" -> null
      - id         = "6421993:helia-delegated-routing-v1-http-api" -> null
      - permission = "pull" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-http-gateway"] will be destroyed
  # (because key ["github-mgmt stewards:helia-http-gateway"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"c215c6c292883ed30586fada6fa987b8ab1de585b5f5079f6d9ae1d00d3e3470\"" -> null
      - id         = "6421993:helia-http-gateway" -> null
      - permission = "pull" -> null
      - repository = "helia-http-gateway" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-remote-pinning"] will be destroyed
  # (because key ["github-mgmt stewards:helia-remote-pinning"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"a07a7af0f75ca7ff334381753764b7a54092c540b2b3b88d928ab6a2c85c9a8d\"" -> null
      - id         = "6421993:helia-remote-pinning" -> null
      - permission = "pull" -> null
      - repository = "helia-remote-pinning" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-verified-fetch"] will be destroyed
  # (because key ["github-mgmt stewards:helia-verified-fetch"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"133afb64c1f151295ec79432ec6558ce9c0febd37453aa491ee58cfda829545c\"" -> null
      - id         = "6421993:helia-verified-fetch" -> null
      - permission = "pull" -> null
      - repository = "helia-verified-fetch" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:kubo"] will be destroyed
  # (because key ["github-mgmt stewards:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"ee856debdc791b6babe3b8bd55e7128afc8390e10a80719ff8d8488109d81603\"" -> null
      - id         = "6421993:kubo" -> null
      - permission = "pull" -> null
      - repository = "kubo" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:rainbow"] will be destroyed
  # (because key ["github-mgmt stewards:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"cbd4b7420de793c65a2b1b41959bbf4fd137677dcb8d25bc3b20305c50e8a329\"" -> null
      - id         = "6421993:rainbow" -> null
      - permission = "pull" -> null
      - repository = "rainbow" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:service-worker-gateway"] will be destroyed
  # (because key ["github-mgmt stewards:service-worker-gateway"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"035805476dda8e7b0978f2e1208a3089a0543983ea8b441105502771d8171e3e\"" -> null
      - id         = "6421993:service-worker-gateway" -> null
      - permission = "pull" -> null
      - repository = "service-worker-gateway" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:someguy"] will be destroyed
  # (because key ["github-mgmt stewards:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"648496a6eb4619e005b4d7c4fcf28f4ac26eb5923b77cdffbc0d1d129b50c5b8\"" -> null
      - id         = "6421993:someguy" -> null
      - permission = "pull" -> null
      - repository = "someguy" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["helia-dev:service-worker-gateway"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "7676419:service-worker-gateway"
      ~ permission = "pull" -> "admin"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["ipdx:kubo"] will be destroyed
  # (because key ["ipdx:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "6349983:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "6349983" -> null
    }

  # github_team_repository.this["ipdx:rainbow"] will be destroyed
  # (because key ["ipdx:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "6349983:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "6349983" -> null
    }

  # github_team_repository.this["maintainers:kubo"] will be destroyed
  # (because key ["maintainers:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"5cf6b39cd315e6447f336f2166e877c9f4762c4081159f75b5240153ec82677c\"" -> null
      - id         = "3729031:kubo" -> null
      - permission = "push" -> null
      - repository = "kubo" -> null
      - team_id    = "3729031" -> null
    }

  # github_team_repository.this["merge - go:boxo"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "3364102:boxo"
      ~ permission = "maintain" -> "push"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["repos - go:boxo"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "3232508:boxo"
      ~ permission = "maintain" -> "push"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["shipyard:boxo"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "boxo"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-cli"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-cli"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-delegated-routing-v1-http-api"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-delegated-routing-v1-http-api"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-http-gateway"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-http-gateway"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-remote-pinning"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-remote-pinning"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-verified-fetch"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-verified-fetch"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:kubo"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "kubo"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:rainbow"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "rainbow"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:service-worker-gateway"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "admin"
      + repository = "service-worker-gateway"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:someguy"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "someguy"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["w3dt-stewards:boxo"] will be destroyed
  # (because key ["w3dt-stewards:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"eab881d3a54b24924fde0a9c96032c40c8d5cc24022758538a6b86fb94d08780\"" -> null
      - id         = "4656983:boxo" -> null
      - permission = "admin" -> null
      - repository = "boxo" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia"] will be destroyed
  # (because key ["w3dt-stewards:helia"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9e60726a28766ad67e5e425e8d90b5c704c774d41310edd212e5546b00a9448f\"" -> null
      - id         = "4656983:helia" -> null
      - permission = "admin" -> null
      - repository = "helia" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia-delegated-routing-v1-http-api"] will be destroyed
  # (because key ["w3dt-stewards:helia-delegated-routing-v1-http-api"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"66fa3d8b28632cf4950357dfe2f756ac35a0b86a2a008bd42376794dafc11e8c\"" -> null
      - id         = "4656983:helia-delegated-routing-v1-http-api" -> null
      - permission = "admin" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia-verified-fetch"] will be destroyed
  # (because key ["w3dt-stewards:helia-verified-fetch"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"94157302708f7068483e913b3b84058e56702c389f75765e89c24b6997410a24\"" -> null
      - id         = "4656983:helia-verified-fetch" -> null
      - permission = "admin" -> null
      - repository = "helia-verified-fetch" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:kubo"] will be destroyed
  # (because key ["w3dt-stewards:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "4656983:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:rainbow"] will be destroyed
  # (because key ["w3dt-stewards:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "4656983:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:someguy"] will be destroyed
  # (because key ["w3dt-stewards:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9f2c6844cde3235fa865c116893ef5c32ee72f054defdb0060c1d00ef9b22fa1\"" -> null
      - id         = "4656983:someguy" -> null
      - permission = "admin" -> null
      - repository = "someguy" -> null
      - team_id    = "4656983" -> null
    }

Plan: 20 to add, 8 to change, 39 to destroy.

Comment on lines 3400 to +3404
teams:
admin:
- helia-dev
pull:
- github-mgmt stewards
maintain:
- shipyard
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@achingbrain @SgtPooki I added Shipyard as maintainers for some repos where there were no ambient admin permissions for the "admin" or w3dt-stewards teams. It might be that these are unnecessary or should just be push permissions. Happy to downgrade if you think that makes more sense.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be fine, and we haven't touched helia-cli in a while, and likely won't

Comment on lines 5241 to +5242
push_restrictions:
- /aschmahmann
- /gmasgras
- /thattommyhall
- ipfs/kubo-maintainers
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ipfs/ipdx how can I set this to push restrictions on, but with no associated group? IIUC there's nothing you can do anyway to stop admins from pushing (or maintainers from pushing with approval) so adding groups here seems unnecessary provided you can keep the restrictions enabled.

admin:
- lidel
push:
- dennis-tra
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dennis-tra I'm removing your permissions here and there will be a follow up PR to add you to the IPFS org and from there you can get added to any teams you need to be.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, thanks for the heads-up! 👍

Comment on lines -3447 to -3451
pull:
- github-mgmt stewards
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ipfs/ipdx any idea why these pull permissions got added everywhere in fe64a02?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! This is because github-mgmt stewards group is designated as moderator and security manager as per #189

So, unfortunately, they're going to come back, but you don't necessarily have to restore them yourself. The apply should go through anyway, and the config will be updated during the weekly sync.

Comment on lines +5777 to +5778
maintain:
- shipyard
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lidel WDYT about giving push to repos Go for rainbow and someguy?

Copy link
Member

@lidel lidel Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably ok, that group already has "maintain" in boxo, so push will make it easier for existing community to submit PRs.

ps. there is a separate long-term meta-worry in that there is way too many people in https://github.com/orgs/ipfs/teams/repos-go, and if our intention is to limit security risks / access, we should plan to subset that group.

github/ipfs.yml Outdated Show resolved Hide resolved
Copy link
Member

@SgtPooki SgtPooki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine to me (only searched for my username and looked through removals or items where I was left). I really wish it was easier to see the specific repo the changes are for

Comment on lines 3400 to +3404
teams:
admin:
- helia-dev
pull:
- github-mgmt stewards
maintain:
- shipyard
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be fine, and we haven't touched helia-cli in a while, and likely won't

Copy link
Contributor

@galargh galargh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

Comment on lines -3447 to -3451
pull:
- github-mgmt stewards
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! This is because github-mgmt stewards group is designated as moderator and security manager as per #189

So, unfortunately, they're going to come back, but you don't necessarily have to restore them yourself. The apply should go through anyway, and the config will be updated during the weekly sync.

github/ipfs.yml Outdated Show resolved Hide resolved
@SgtPooki
Copy link
Member

@aschmahmann should we merge this on monday?

@aschmahmann aschmahmann merged commit 0366d80 into master Nov 5, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants