Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage GitHub teams permissions as code #3998

Draft
wants to merge 27 commits into
base: master
Choose a base branch
from

Conversation

Alaurant
Copy link

@Alaurant Alaurant commented Jul 7, 2024

This Pull Request enhances the process for managing team permissions. It automates the synchronization of team data, ensuring our GitHub records are always up-to-date.

Key Features

Repository Permission Updates: Once the PR is merged, it updates the team and sends an invitation if needed.

Automatic Sync: it runs every week to ensure the files’ data is in sync with the live data on GitHub.

@Alaurant Alaurant requested a review from a team as a code owner July 7, 2024 16:23
@NotMyFault NotMyFault requested review from NotMyFault and timja July 20, 2024 14:20
Copy link
Member

@timja timja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some initial feedback, what testing has been done on this?

repoPath = (String) data.get("github");
}

if (data.containsKey("github_team")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we think we need to add this / need it as the only way?

teams are currently done by the repository name and should be easily determinable, (there may be some outliers though and where it might be good to be able to override this)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, if a YAML file doesn't include github_team, I don't take any action.
If it does include github_team, I assume there's a unique team name like github_team: abc_team, and update the developers on that team.

However, based on your description, it seems uncommon to have a unique team name specified. Is it more common for github_team to be included without a specific name, meaning the team name would default to the repository name?

Also, if I have misunderstood anything in the first part, please correct me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will currently never include a GitHub team you will need to backfill those across the repository with this approach.

(not necessarily a bad thing)

Teams will almost always be unique per repository, occasionally there will be additional teams with access.

e.g. design-library-plugin has the sig-ux team with access.

and there will be other similar examples

Copy link
Contributor

@daniel-beck daniel-beck Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e.g. design-library-plugin has the sig-ux team with access.

In particular, while most teams are ${repo}-developers, there are some "special" teams spanning multiple repositories.

Also, I don't see where team repos are being managed, only team members. Would those special teams be excluded from management as code?

Similarly, this also hardcodes push permission, when there are cases where the permissions should be different. Are those also excluded?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest for non-schema based groups that in the future it is moved to an extra section called: custom-groups.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs to be done before go-live of the new solution, ideally as close to when the other solution is ready to merge in case changes occur again.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've set up a new repository for the one-off backfill and updated the README with the current backfill logic and a few questions. When you have a moment, I'd appreciate it if you could take a look: https://github.com/Alaurant/OneOffSyncTool.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extended Permissions

  1. You should be able to see all GitHub permissions with this report which might help with your permissions request: https://reports.jenkins.io/github-jenkinsci-permissions-report.json

Format

  1. I wouldn't use the empty string if you can't match a person: github: "", just omit the key.

Clarification of Special Teams:

  1. I'm not sure what you mean by clarification of special teams, yes its name is SIG: UX

Challenges with Multiple YAML Files for a Single Repository

  1. I think only one file should be managing the GitHub permissions ideally good point

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your patience in reading and responding. The permissions report will be helpful.

Format

Following your advice to omit the key, would the entries look like this?

- ldap: Alice
- github: Bob
- ldap: Chalie
  github: Chalie

Clarification of Special Teams:

I appreciate your help on the "SIG: UX" clarification. Could you confirm if the following matches are correct?

  1. cloudbees-developers: company-cloudbees-developers
  2. core: Core or Core PR Reviewers?
  3. security: core-security-review
  4. openshift-developers: Which team corresponds to this in the provided image?
image

Thank you again.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Yes entries would look like that
  2. yes cloudbees is company-cloudbees...
  3. core is Core
  4. I don't think security is core-security-review, they are separate
  5. there's no openshift-developers team in GitHub but I'm sure it would be a good idea.

@timja timja requested review from Wadeck and daniel-beck July 21, 2024 16:07
Copy link
Contributor

@daniel-beck daniel-beck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unclear to me what this is trying to accomplish and why it is added to this repository.

- name: Build project
run: mvn clean install

- name: Update all yml files in permissions directory
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This message appears to be misleading, as it claims to modify yml files, rather than use them as a reference (which seems to be what YmlTeamLoader#loadTeam does).

id: files
run: |
echo "Checking for changes in permissions/*.yml files..."
FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'permissions/*.yml')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This relies on every single execution being successful (assuming no infra trouble ever), which seems unsafe.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a sweeper that runs once per week, I umm'ed and erred on this. Only operating on changes files will certainly be quicker, but why re-invent the wheel instead of using something like terraform which can maintain the state?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't terraform be a bit over the top for this PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its a standard infra as code tool, rather than re-implementing the wheel, it allows more people to collaborate especially from e.g. the infra team.

.github/workflows/teamsync_check_for_changes.yml Outdated Show resolved Hide resolved
Alaurant and others added 3 commits July 22, 2024 12:25
@Alaurant Alaurant marked this pull request as draft July 22, 2024 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants