202408 proposal for reducing filecoin-project org ownership

[BigLep]

Message to those affected

@arden-sead
@dr-bizz
@filecoin-helper
@jbenet
@jmac-sead
@laurentsenta
@mishmosh
@momack2
@protocolin
@raulk
@Stebalien

You've been @mentioned because your filecoin-project github "org ownership" permissions are proposed for removal as part of #47 unless you respond back with your use-case for having these broad permissions by 2024-08-28. You will still be a member of the filecoin-project github org, retain your existing direct github repo permissions or team permissions, and be able to make permission requests through https://github.com/filecoin-project/github-mgmt.

The current plan is to merge this change on Wednesday, 2024-08-28 2024-09-04, if there are no blocking comments/feedback.

That said, this isn't a one-way door. If we got this wrong or you don't see the notification until after-the-fact, a new PR can be created to fix permissions.

Thanks and let me know if you have any questions or concerns.

Who is affected and how

Below is the textual summary of the changes. I'll keep it updated, if/as the code updates as well.

Retained org ownership (rationale is documented code):

• @anorth
• @BigLep (temporary access extended)
• @galargh
• @jennijuju
• @mastrwayne-admin

Removed org ownership but are part of "github-mgmt Stewards" which effectively has the ability escalate to org ownership permissions (rationale is documented code):

• @smagdali

Removed org ownership because have not been active in org administration the last 6 months[*]:

• @filecoin-helper
• @jbenet
• @laurentsenta
• @mishmosh
• @protocolin
• @raulk

Removed org ownership because are part of sead, but haven't been active in administering the org and still have representation with masterwayne-admin[*]:

• @arden-sead
• @dr-bizz
• @jmac-sead

Removed org ownership event hough have been active in org administration because have representation with other FilOz team members:

• @momack2
• @Stebalien

Added org ownership given experience and diversifying representation:

• @magik6k

Added to new github-mgmt-approvers team:

• @rjan90 given project awareness often helping act on half of implementation tteam
• @Stebalien given project awareness and experience with tooling
• @willscott given experience with the tooling and diversifying representation

Added to the newly created security-managers team:
(This team will be given the security manager" role after being created as tracked in #47)

• @parthshah1
• @relotnek
• @smagdali

Added to the newly created moderators team:
(This team will be given the moderator role after being created as tracked in #47)

• @arden-sead
• @dr-bizz
• @jmac-sead
• @mastrwayne-admin

FAQ

Why are we removing so many owners, especially of longtime/foundational project members?

This is in no way meant to downplay the contribution of those affected who have been significant builders in shaping the project. Beyond the reasons listed in #47 , I'm suggesting remove folks because I view having these superpowers as a burden. Many of those removed haven't had filecoin-project github org activity in the last 6 months, and thus I assume they're not getting utility from carrying the burden. In addition, their accounts would be a prime account for attackers to go after, and this change reduces the blast radius in the unfortunate-I-never-hope-it-happens event that their accounts do get attacked.

My general mindset: Github org ownership permissions are very powerful, and they enable someone to do things in the UI without review that can have significant consequences. Reducing the ownership set to a small set of people helps ensure:

1. more actions go through github-mgmt (which has review) and
2. that the few humans who are doing things outside of github-mgmt are also the humans who live in the github tools more, thus potentially more aware of how to wield them safely. (This is sort of similar to how AWS service teams don't allow Management Console/UI access to any of the production accounts except in "break glass" scenarios where others are in the loop and handholding together.)

Why not remove all org owners?

I considered a larger extreme of effectively removing all org owners and then just relying on github-mgmt stewards to self-promote themselves to "org owner" when they need this (leaving a comment for why they need this and what conditions need to be met to be removed from the owner role). This seems like the safest thing to reduce the chance that org owners accidentally use their permissions in unintended ways (and reduces some of the potential blas radius if their account gets hacked - there would at least be a PR to github-mgmt that would show the escalation of permissions which may give someone the chance to react/respond.)

I sided against advocating for this because there are likely notifications that come through to owners that it would be risky to not have any human receiving.

Feedback welcome though if anyone thinks we should tighten further.

Why aren't more teams/groups represented on the "github-mgmt stewards" team?

FilOz and IDPX are well represented on that team (see code). The Filecoin Foundation now has representation. Many of those who lost org owner permissions have representation via "org owners" or the "githb-mgmt Stewards" team. More teams are not being proactively added to the list yet because:

1. FilOz is guinea-pigging the process of ensuring that changes to the repos the maintain is done under code review and transparently. The hope/intent is to have other groups manage their repos in this way too if its successful.
2. We are dependent on some tooling improvement to support a diverse set of stakeholders that have limited blast radius (see Support a diverse set of owners while limiting blast radius ipdxco/github-as-code#126 for more info).

A new "github-mgmt approvers" team was also created that has a wider pool of people who can approve (but not merge) PRs.

Reviewer's Checklist

• It is clear where the request is coming from (if unsure, ask)
• All the automated checks passed
• The YAML changes reflect the summary of the request
• The Terraform plan posted as a comment reflects the summary of the request

Additional notes

[*] Audit log dump from the last 6 months was done here.

[github-actions]

The following access changes will be introduced as a result of applying the plan:

Access Changes

User arajasek:
  - will lose admin permission to github-mgmt
User arden-sead:
  - will have the role in the organization change from admin to member
User autonome:
  - will lose push permission to github-mgmt
User dr-bizz:
  - will have the role in the organization change from admin to member
User filecoin-helper:
  - will have the role in the organization change from admin to member
User galargh:
  - will have the permission to github-mgmt change from admin to push
User jbenet:
  - will have the role in the organization change from admin to member
User jennijuju:
  - will have the permission to github-mgmt change from admin to push
User jmac-sead:
  - will have the role in the organization change from admin to member
User laurentsenta:
  - will have the role in the organization change from admin to member
User magik6k:
  - will have the role in the organization change from member to admin
User mastrwayne-admin:
  - will lose admin permission to github-mgmt
User mishmosh:
  - will have the role in the organization change from admin to member
User momack2:
  - will have the role in the organization change from admin to member
User mroth:
  - will lose push permission to github-mgmt
User protocolin:
  - will have the role in the organization change from admin to member
User raulk:
  - will have the role in the organization change from admin to member
User rjan90:
  - will gain triage permission to github-mgmt
User scotthconner:
  - will lose push permission to github-mgmt
User smagdali:
  - will gain push permission to github-mgmt
  - will have the role in the organization change from admin to member
User stebalien:
  - will gain triage permission to github-mgmt
  - will have the role in the organization change from admin to member
User willscott:
  - will gain triage permission to github-mgmt

[github-actions]

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

filecoin-project

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # github_membership.this["arden-sead"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:arden-sead"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["dr-bizz"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:dr-bizz"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["filecoin-helper"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:filecoin-helper"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["jbenet"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:jbenet"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["jmac-sead"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:jmac-sead"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["laurentsenta"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:laurentsenta"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["magik6k"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:magik6k"
      ~ role     = "member" -> "admin"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["mishmosh"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:mishmosh"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["momack2"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:momack2"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["protocolin"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:protocolin"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["raulk"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:raulk"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["smagdali"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:smagdali"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_membership.this["stebalien"] will be updated in-place
  ~ resource "github_membership" "this" {
        id       = "filecoin-project:Stebalien"
      ~ role     = "admin" -> "member"
        # (2 unchanged attributes hidden)
    }

  # github_repository_collaborator.this["github-mgmt:arajasek"] will be destroyed
  # (because key ["github-mgmt:arajasek"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:arajasek" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "arajasek" -> null
    }

  # github_repository_collaborator.this["github-mgmt:autonome"] will be destroyed
  # (because key ["github-mgmt:autonome"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:autonome" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "autonome" -> null
    }

  # github_repository_collaborator.this["github-mgmt:galargh"] will be destroyed
  # (because key ["github-mgmt:galargh"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:galargh" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "galargh" -> null
    }

  # github_repository_collaborator.this["github-mgmt:jennijuju"] will be destroyed
  # (because key ["github-mgmt:jennijuju"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:jennijuju" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "jennijuju" -> null
    }

  # github_repository_collaborator.this["github-mgmt:mastrwayne-admin"] will be destroyed
  # (because key ["github-mgmt:mastrwayne-admin"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:mastrwayne-admin" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "mastrwayne-admin" -> null
    }

  # github_repository_collaborator.this["github-mgmt:mroth"] will be destroyed
  # (because key ["github-mgmt:mroth"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:mroth" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "mroth" -> null
    }

  # github_repository_collaborator.this["github-mgmt:scotthconner"] will be destroyed
  # (because key ["github-mgmt:scotthconner"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:scotthconner" -> null
      - permission = "push" -> null
      - repository = "github-mgmt" -> null
      - username   = "scotthconner" -> null
    }

  # github_repository_file.this["github-mgmt/codeowners"] will be destroyed
  # (because key ["github-mgmt/codeowners"] is not in for_each map)
  - resource "github_repository_file" "this" {
      - branch              = "master" -> null
      - commit_author       = "GitHub" -> null
      - commit_email        = "[email protected]" -> null
      - commit_message      = "chore: Update CODEOWNERS [skip ci]" -> null
      - commit_sha          = "4a7d5a43e4067126ebcf8c9e79f50f73049da0ef" -> null
      - content             = <<-EOT
            # The github-mgmt stewards team is responsible for triaging/reviewing configuration change requests
            /github/filecoin-project.yml @filecoin-project/github-mgmt-stewards
        EOT -> null
      - file                = "CODEOWNERS" -> null
      - id                  = "github-mgmt/CODEOWNERS" -> null
      - overwrite_on_create = false -> null
      - ref                 = "master" -> null
      - repository          = "github-mgmt" -> null
      - sha                 = "c163220dc5d6f1ef7de88fe50e64b1d8df411a26" -> null
    }

  # github_team.this["github-mgmt approvers"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Additional users beyong github-mgmt-stewards who can approve (but not merge) github-mgmt PRs"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "github-mgmt approvers"
      + node_id                   = (known after apply)
      + privacy                   = "closed"
      + slug                      = (known after apply)
    }

  # github_team.this["ipdx"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "ipdx.co team members"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "ipdx"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["moderators"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "This team has the Moderators role described in https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-moderators"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "moderators"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["security-managers"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "This team has the Security Manager role described in https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#security-managers"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "security-managers"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["github-mgmt approvers:rjan90"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "rjan90"
    }

  # github_team_membership.this["github-mgmt approvers:stebalien"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Stebalien"
    }

  # github_team_membership.this["github-mgmt approvers:willscott"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "willscott"
    }

  # github_team_membership.this["github-mgmt stewards:smagdali"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = "7326115"
      + username = "smagdali"
    }

  # github_team_membership.this["ipdx:galargh"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "galargh"
    }

  # github_team_membership.this["ipdx:laurentsenta"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "laurentsenta"
    }

  # github_team_membership.this["moderators:arden-sead"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "arden-sead"
    }

  # github_team_membership.this["moderators:dr-bizz"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "dr-bizz"
    }

  # github_team_membership.this["moderators:jmac-sead"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "jmac-sead"
    }

  # github_team_membership.this["moderators:mastrwayne-admin"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "mastrwayne-admin"
    }

  # github_team_membership.this["security-managers:parthshah1"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "parthshah1"
    }

  # github_team_membership.this["security-managers:relotnek"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "relotnek"
    }

  # github_team_membership.this["security-managers:smagdali"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "smagdali"
    }

  # github_team_repository.this["github-mgmt approvers:github-mgmt"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "triage"
      + repository = "github-mgmt"
      + team_id    = (known after apply)
    }

Plan: 18 to add, 13 to change, 8 to destroy.

[BigLep]

Even before I get the ability to see https://github.com/organizations/filecoin-project/settings/audit-log, I'm still marking this as ready for review to give more time for feedback and comments.

I'm not expecting to have gotten this all right on try one, so the quicker I can get feedback the better for being able to close this out.

[BigLep]

Per #47 , I have proposed a moderators and security-managers team and included that in the PR. The PR description has been updated to textually describe who has been affected.

[BigLep]

I have org owner access and was able to check the audit log. This hasn't lead me to make any suggested changes based on the original recommendation.

How data was collected

Below is the dump from https://github.com/organizations/filecoin-project/settings/audit-log?q=created%3A%3E2024-02-25+action%3Aaccount.*+action%3Abilling.*+action%3Abusiness.*+action%3Aenterprise.*+action%3Aintegration_installation.create+action%3Aorg.*+action%3Apayment_method.*+action%3Ateam.*+-actor%3Afilecoin-project-mgmt-read-write%5Bbot%5D+-actor%3Acustom-gh-runners-by-ipdx-co-filoz%5Bbot%5D using filter created:>2024-02-25 action:account.* action:billing.* action:business.* action:enterprise.* action:integration_installation.create action:org.* action:payment_method.* action:team.* -actor:filecoin-project-mgmt-read-write[bot] -actor:custom-gh-runners-by-ipdx-co-filoz[bot] based on the actions listed in https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-the-action-performed .

I reduced the columns that are displayed and sorted using cat export-filecoin-project-*.csv| csvcut -c actor,action,repo,team,user,integration,@timestamp | csvsort -i -c actor,action,@timestamp | csvlook

Data dump

actor	action	repo	team	user	integration	@timestamp
anorth	team.add_member		filecoin-project/actors-maintainers	masih		1,718,753,487,982
anorth	team.destroy		filecoin-project/actors-committers			1,718,753,721,829
anorth	team.remove_member		filecoin-project/actors-committers	masih		1,718,753,510,795
anorth	team.remove_member		filecoin-project/actors-committers	mb1896		1,718,753,528,831
anorth	team.remove_repository	filecoin-project/go-hamt-ipld	actors-committers			1,718,753,721,927
anorth	team.remove_repository	filecoin-project/FIPs	actors-committers			1,718,753,721,939
anorth	team.remove_repository	filecoin-project/go-amt-ipld	actors-committers			1,718,753,721,947
anorth	team.remove_repository	filecoin-project/chain-validation	actors-committers			1,718,753,721,954
anorth	team.remove_repository	filecoin-project/specs-actors	actors-committers			1,718,753,721,962
anorth	team.remove_repository	filecoin-project/go-bitfield	actors-committers			1,718,753,721,969
anorth	team.remove_repository	filecoin-project/go-state-types	actors-committers			1,718,753,721,976
anorth	team.remove_repository	filecoin-project/core-devs	actors-committers			1,718,753,721,983
anorth	team.remove_repository	filecoin-project/ent	actors-committers			1,718,753,721,990
anorth	team.remove_repository	filecoin-project/builtin-actors	actors-committers			1,718,753,721,997
aronchick	team.destroy		filecoin-project/bacalhau-team			1,716,578,310,793
BigLep	integration_installation.create				BuildPulse	1,721,157,293,557
dkkapur	team.remove_member		filecoin-project/data-programs	xmcai2016		1,710,965,284,387
dkkapur	team.remove_member		filecoin-project/data-programs	simonkim0515		1,710,965,284,520
dkkapur	team.remove_member		filecoin-project/data-programs	raghavrmadya		1,710,965,284,658
dkkapur	team.remove_member		filecoin-project/data-programs	kevzak		1,710,965,284,799
dnkolegov	team.remove_member		filecoin-project/labbers	dnkolegov		1,713,297,080,782
dr-bizz	integration_installation.create				Fleek CI	1,723,825,373,053
dr-bizz	org.add_outside_collaborator	filecoin.io				1,714,578,584,397
dzmitrykliapkou	org.add_outside_collaborator	cmc-circulating-supply-fil-addresses				1,716,452,381,769
Filip-L	org.add_outside_collaborator	filplus-backend				1,716,210,206,403
filipagr	org.add_outside_collaborator	on-chain-voting				1,715,019,602,687
galargh	org.audit_log_export					1,719,326,865,440
galargh	org.create_actions_secret					1,710,266,762,957
galargh	org.runner_group_updated					1,710,859,538,599
galargh	org.runner_group_updated					1,712,672,731,010
galargh	org.runner_group_updated					1,720,167,918,632
galargh	org.runner_group_updated					1,722,982,480,367
gstraczek	org.add_outside_collaborator	filplus-registry				1,717,598,443,773
hexianglinss	org.add_outside_collaborator	on-chain-voting				1,714,440,203,925
honghaoq	org.remove_member			honghaoq		1,712,650,186,658
honghaoq	team.remove_member		filecoin-project/labbers	honghaoq		1,712,650,186,990
honghaoq	team.remove_member		filecoin-project/fvm-team	honghaoq		1,712,650,187,093
honghaoq	team.remove_member		filecoin-project/fvm-web	honghaoq		1,712,650,187,195
Huang-Zexiang	org.add_outside_collaborator	on-chain-voting				1,714,439,397,183
jennijuju	org.invite_member			arajasek		1,712,965,773,201
jennijuju	org.oauth_app_access_approved					1,724,388,750,512
jennijuju	org.remove_member			ognots		1,712,964,717,060
jennijuju	org.remove_member			arajasek		1,712,964,759,351
jennijuju	team.add_member		filecoin-project/actors-committers	masih		1,709,203,078,847
jennijuju	team.add_member		filecoin-project/lotus-maintainers	rjan90		1,709,547,211,463
jennijuju	team.add_member		filecoin-project/lotus-maintainers	Kubuxu		1,713,113,881,074
jennijuju	team.add_member		filecoin-project/lotus-maintainers	TippyFlitsUK		1,713,288,046,586
jennijuju	team.add_member		filecoin-project/actors-maintainers	TippyFlitsUK		1,713,288,069,658
jennijuju	team.add_member		filecoin-project/filoz	momack2		1,721,356,302,920
jennijuju	team.add_repository	filecoin-project/lotus-docs	filecoin-project/lotus-contributors			1,710,244,663,400
jennijuju	team.add_repository	filecoin-project/accessible-hot-copy-storage	filecoin-project/filoz			1,721,356,277,203
jennijuju	team.add_repository	filecoin-project/go-fil-commcid	filecoin-project/filoz			1,722,475,557,246
jennijuju	team.destroy		filecoin-project/lotus-tse			1,710,244,583,079
jennijuju	team.destroy		filecoin-project/docs-writers			1,710,244,636,175
jennijuju	team.remove_member		filecoin-project/lotus-maintainers	fridrik01		1,709,546,972,810
jennijuju	team.remove_member		filecoin-project/lotus-contributors	Terryhung		1,709,547,109,346
jennijuju	team.remove_member		filecoin-project/dev-misc	ognots		1,712,964,717,368
jennijuju	team.remove_member		filecoin-project/infra	ognots		1,712,964,717,497
jennijuju	team.remove_member		filecoin-project/proj-mgmt	ognots		1,712,964,717,620
jennijuju	team.remove_member		filecoin-project/sentinel-operators	ognots		1,712,964,717,738
jennijuju	team.remove_member		filecoin-project/lotus-infra-core	ognots		1,712,964,717,855
jennijuju	team.remove_member		filecoin-project/labbers	arajasek		1,712,964,759,772
jennijuju	team.remove_member		filecoin-project/actors-maintainers	arajasek		1,712,964,759,905
jennijuju	team.remove_member		filecoin-project/w3dt-stewards	arajasek		1,712,964,760,035
jennijuju	team.remove_member		filecoin-project/venus	arajasek		1,712,964,760,155
jennijuju	team.remove_member		filecoin-project/lotus-maintainers	arajasek		1,712,964,760,266
jennijuju	team.remove_member		filecoin-project/fvm-team	arajasek		1,712,964,760,378
jennijuju	team.remove_member		filecoin-project/fips-editors	arajasek		1,712,964,760,508
jennijuju	team.remove_member		filecoin-project/fvm-crate-owners	arajasek		1,712,964,760,620
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	arajasek		1,712,964,760,736
jennijuju	team.remove_member		filecoin-project/lotus-contributors	arajasek		1,712,964,760,884
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	vmx		1,722,499,748,712
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	fridrik01		1,722,499,748,922
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	aakoshh		1,722,499,749,112
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	magik6k		1,722,499,749,264
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	maciejwitowski		1,722,499,749,430
jennijuju	team.remove_member		filecoin-project/fvm-core-devs	cryptonemo		1,722,499,749,591
jennijuju	team.remove_repository	filecoin-project/lotus	Lotus-TSE			1,710,244,583,154
jennijuju	team.remove_repository	filecoin-project/lotus-docs	Lotus-TSE			1,710,244,583,164
jennijuju	team.remove_repository	filecoin-project/lotus-dcops	Lotus-TSE			1,710,244,583,170
jennijuju	team.remove_repository	filecoin-project/boost	Lotus-TSE			1,710,244,583,175
jennijuju	team.remove_repository	filecoin-project/testnet-hyperspace	Lotus-TSE			1,710,244,583,180
jennijuju	team.remove_repository	filecoin-project/lotus-docs	docs-writers			1,710,244,636,241
jennijuju	team.remove_repository	filecoin-project/fvm-starter-kit-deal-making	docs-writers			1,710,244,636,251
jennijuju	team.remove_repository	filecoin-project/lotus-infra	filecoin-project/actors-maintainers			1,718,627,778,769
jennijuju	team.remove_repository	filecoin-project/lotus-infra	filecoin-project/infra			1,718,627,788,954
jennijuju	team.remove_repository	filecoin-project/lotus-infra	filecoin-project/proofs			1,718,627,811,782
jennijuju	team.update_repository_permission	filecoin-project/lotus	filecoin-project/lotus-contributors	jennijuju		1,709,547,124,176
jennijuju	team.update_repository_permission	filecoin-project/lotus	filecoin-project/lotus-contributors	jennijuju		1,709,547,575,877
jennijuju	team.update_repository_permission	filecoin-project/go-jsonrpc	filecoin-project/lotus-maintainers	jennijuju		1,716,420,971,730
jmac-sead	integration_installation.create				Datacap Bot	1,719,324,280,393
jmac-sead	org.add_member			arden-sead		1,714,056,485,415
jmac-sead	org.add_member			XORS-eng		1,718,899,620,989
jmac-sead	org.add_member			rk-rishikesh		1,718,900,049,773
jmac-sead	org.add_member			xBalbinus		1,718,948,801,592
jmac-sead	org.invite_member			arden-sead		1,714,056,265,764
jmac-sead	org.invite_member			rk-rishikesh		1,718,899,471,237
jmac-sead	org.invite_member			XORS-eng		1,718,899,495,349
jmac-sead	org.invite_member			xBalbinus		1,718,905,778,061
jmac-sead	org.update_member			arden-sead		1,714,056,510,521
jmac-sead	team.add_member		filecoin-project/fil-b	jmac-sead		1,718,905,540,844
jmac-sead	team.add_member		filecoin-project/fil-b	trruckerfling		1,718,905,557,683
jmac-sead	team.add_member		filecoin-project/fil-b	snissn		1,718,905,613,345
jmac-sead	team.add_member		filecoin-project/fil-b	rk-rishikesh		1,718,905,634,999
jmac-sead	team.add_member		filecoin-project/fil-b	XORS-eng		1,718,905,652,411
jmac-sead	team.add_member		filecoin-project/fil-b	longfeiWan9		1,718,905,678,238
jmac-sead	team.add_member		filecoin-project/fil-b	xBalbinus		1,718,948,802,028
jmac-sead	team.add_repository	filecoin-project/fevm-hardhat-kit	filecoin-project/fil-b			1,721,751,254,241
jmac-sead	team.add_repository	filecoin-project/raas-starter-kit	filecoin-project/fil-b			1,721,751,281,517
jmac-sead	team.add_repository	filecoin-project/state-storage-starter-kit	filecoin-project/fil-b			1,721,751,309,212
jmac-sead	team.add_repository	filecoin-project/fvm-starter-kit-deal-making	filecoin-project/fil-b			1,721,751,335,390
jmac-sead	team.add_repository	filecoin-project/fevm-foundry-kit	filecoin-project/fil-b			1,721,751,359,347
jmac-sead	team.create		filecoin-project/fil-b	jmac-sead		1,718,905,540,729
jmac-sead	team.promote_maintainer		filecoin-project/fil-b	trruckerfling		1,718,905,580,901
jmac-sead	team.remove_member		filecoin-project/fil-b	jmac-sead		1,718,905,710,448
jochasinga	org.add_outside_collaborator	filecoin-docs				1,715,702,372,541
kacperzuk-neti	org.add_outside_collaborator	filplus-backend				1,715,792,248,821
kkarrancsu	org.add_outside_collaborator	builtin-actors				1,719,269,029,175
LexLuthr	team.add_member		filecoin-project/boost	magik6k		1,709,826,709,000
LexLuthr	team.add_member		filecoin-project/boost	snadrus		1,709,826,726,539
LexLuthr	team.add_member		filecoin-project/boost	Reiers		1,709,827,359,367
LexLuthr	team.update_repository_permission	filecoin-project/boost-gfm	filecoin-project/boost	LexLuthr		1,709,826,977,108
LexLuthr	team.update_repository_permission	filecoin-project/boost-graphsync	filecoin-project/boost	LexLuthr		1,709,826,980,380
LexLuthr	team.update_repository_permission	filecoin-project/lid-benchmarks	filecoin-project/boost	LexLuthr		1,709,826,986,358
LexLuthr	team.update_repository_permission	filecoin-project/boost-gfm	filecoin-project/boost	LexLuthr		1,709,827,005,079
LexLuthr	team.update_repository_permission	filecoin-project/boost-graphsync	filecoin-project/boost	LexLuthr		1,709,827,007,159
LexLuthr	team.update_repository_permission	filecoin-project/lid-benchmarks	filecoin-project/boost	LexLuthr		1,709,827,583,851
liuzeming1	org.add_outside_collaborator	on-chain-voting				1,715,132,158,742
lukasz-wal	org.add_outside_collaborator	filplus-ssa-bot				1,719,236,757,434
magik6k	team.add_member		filecoin-project/curio	magik6k		1,716,545,989,714
magik6k	team.add_member		filecoin-project/curio	Reiers		1,716,546,026,883
magik6k	team.add_member		filecoin-project/curio	snadrus		1,716,546,073,018
magik6k	team.add_member		filecoin-project/curio	LexLuthr		1,716,546,098,005
magik6k	team.add_repository	filecoin-project/curio	filecoin-project/curio			1,716,546,203,642
magik6k	team.create		filecoin-project/curio	magik6k		1,716,545,989,457
magik6k	team.promote_maintainer		filecoin-project/curio	magik6k		1,716,545,989,970
magik6k	team.promote_maintainer		filecoin-project/curio	snadrus		1,716,546,160,634
magik6k	team.update_repository_permission	filecoin-project/curio	filecoin-project/curio	magik6k		1,716,546,222,313
masih	team.add_repository	filecoin-project/f3-passive-testing	filecoin-project/filoz			1,720,090,124,923
mastrwayne-admin	account.plan_change					1,717,763,631,641
mastrwayne-admin	org.add_member			jmac-sead		1,709,326,687,018
mastrwayne-admin	org.add_member			dr-bizz		1,717,764,276,074
mastrwayne-admin	org.add_member			YuliiaFilecoin		1,718,131,807,219
mastrwayne-admin	org.cancel_invitation			dr-bizz		1,717,763,622,777
mastrwayne-admin	org.invite_member			jmac-sead		1,709,325,648,469
mastrwayne-admin	org.invite_member			dr-bizz		1,716,381,951,486
mastrwayne-admin	org.invite_member			dr-bizz		1,717,763,623,429
mastrwayne-admin	org.invite_member			YuliiaFilecoin		1,718,129,118,860
mastrwayne-admin	org.remove_member			andyschwab-admin		1,714,403,384,791
mastrwayne-admin	org.update_member			vesahc		1,709,916,175,279
mastrwayne-admin	org.update_member			smagdali		1,711,457,392,214
mastrwayne-admin	payment_method.update					1,710,265,032,884
meandavejustice	org.add_outside_collaborator	filsnap				1,709,053,970,896
momack2	team.add_member		filecoin-project/website	protocolin		1,712,808,324,241
momack2	team.remove_repository	filecoin-project/filecoin.io	filecoin-project/infra			1,712,807,992,943
momack2	team.remove_repository	filecoin-project/filecoin.io	filecoin-project/product-biz			1,712,808,351,881
momack2	team.update_repository_permission	filecoin-project/filecoin.io	filecoin-project/labbers	momack2		1,712,808,194,248
momack2	team.update_repository_permission	alanshaw/website-new	filecoin-project/labbers	momack2		1,712,808,194,733
momack2	team.update_repository_permission	dkkapur/website-new	filecoin-project/labbers	momack2		1,712,808,194,796
momack2	team.update_repository_permission	olizilla/website-new	filecoin-project/labbers	momack2		1,712,808,194,856
momack2	team.update_repository_permission	davidd8/website-new	filecoin-project/labbers	momack2		1,712,808,194,916
mor9x00	org.add_outside_collaborator	on-chain-voting				1,715,150,063,289
NemanjaLu92	org.add_outside_collaborator	builtin-actors				1,718,788,277,969
raulk	team.remove_member		filecoin-project/fips-editors	raulk		1,710,438,045,783
rvagg	org.oauth_app_access_requested					1,724,388,498,720
Schwartz10	org.add_outside_collaborator	go-crypto				1,713,917,349,697
SgtCoin	org.remove_member			SgtCoin		1,710,038,817,019
SgtCoin	team.remove_member		filecoin-project/collab-ff-seo-ux	SgtCoin		1,710,038,692,060
SgtCoin	team.remove_member		filecoin-project/docs-storage-provider	SgtCoin		1,710,038,705,047
smagdali	org.add_member			jochasinga		1,721,934,526,908
smagdali	org.add_member			robertagora		1,723,749,254,241
smagdali	org.cancel_invitation			robertagora		1,721,931,606,580
smagdali	org.cancel_invitation			robertagora		1,723,749,236,666
smagdali	org.invite_member			robertagora		1,721,931,607,225
smagdali	org.invite_member			jochasinga		1,721,932,353,333
smagdali	org.invite_member			robertagora		1,723,749,237,253
snadrus	team.add_repository	filecoin-project/apt	filecoin-project/curio			1,718,136,084,142
starboard-devops	org.add_outside_collaborator	lily				1,709,085,684,123
Stebalien	org.block_user					1,724,693,626,425
Stebalien	team.add_member		filecoin-project/lotus-maintainers	rvagg		1,712,185,153,684
Stebalien	team.add_member		filecoin-project/lotus-maintainers	masih		1,712,185,177,935
Stebalien	team.add_repository	filecoin-project/go-clock	filecoin-project/lotus-maintainers			1,720,947,978,529
tancehao	org.add_outside_collaborator	lily				1,712,111,863,823
TippyFlitsUK	team.add_member		filecoin-project/filoz	TippyFlitsUK		1,713,286,495,408
TippyFlitsUK	team.add_member		filecoin-project/filoz	jennijuju		1,713,286,802,111
TippyFlitsUK	team.add_member		filecoin-project/filoz	masih		1,713,286,819,580
TippyFlitsUK	team.add_member		filecoin-project/filoz	Stebalien		1,713,286,842,636
TippyFlitsUK	team.add_member		filecoin-project/filoz	rjan90		1,713,286,858,112
TippyFlitsUK	team.add_member		filecoin-project/filoz	ZenGround0		1,713,286,891,437
TippyFlitsUK	team.add_member		filecoin-project/filoz	aarshkshah1992		1,713,286,911,898
TippyFlitsUK	team.add_member		filecoin-project/filoz	Kubuxu		1,713,286,929,005
TippyFlitsUK	team.add_member		filecoin-project/filoz	rvagg		1,713,286,946,196
TippyFlitsUK	team.add_member		filecoin-project/filoz	anorth		1,713,286,956,103
TippyFlitsUK	team.add_member		filecoin-project/filoz	irenegia		1,713,287,043,495
TippyFlitsUK	team.add_member		filecoin-project/filoz	lucaniz		1,713,287,061,476
TippyFlitsUK	team.add_member		filecoin-project/filoz	nicola		1,713,287,081,161
TippyFlitsUK	team.create		filecoin-project/filoz	TippyFlitsUK		1,713,286,495,264
TippyFlitsUK	team.promote_maintainer		filecoin-project/filoz	TippyFlitsUK		1,713,286,495,500
tplocic20	org.add_outside_collaborator	filplus-registry				1,721,375,091,914
vesahc	account.plan_change					1,708,934,401,582
vesahc	org.invite_member			robertagora		1,708,969,187,306
web3jenks	org.remove_member			web3jenks		1,723,182,586,510
web3jenks	team.remove_member		filecoin-project/advocates	web3jenks		1,723,182,586,932
willpan1102	org.add_outside_collaborator	on-chain-voting				1,714,395,275,023
ychiaoli18	org.remove_member			ychiaoli18		1,709,443,319,222
ychiaoli18	team.remove_member		filecoin-project/fvm-core-devs	ychiaoli18		1,709,443,319,592
ychiaoli18	team.remove_member		filecoin-project/lotus-contributors	ychiaoli18		1,709,443,319,698
ygy-1231	org.add_outside_collaborator	on-chain-voting				1,723,514,279,109
yukixu007	org.add_outside_collaborator	on-chain-voting				1,715,131,371,784
	org.remove_outside_collaborator			huseyincansoylu		1,721,156,482,953

[Stebalien]

Is there any way to make this into a two-key system? I.e.:

1. Require two approvals from code owners to merge changes to this repo. Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.
2. Add more code owners (i.e., not just two).

That way we have no single point of failure?

[Stebalien]

But do they need immediate write access to this repo? IMO, any changes should go through our team (I'm mostly concerned about them already being a massive target).

[galargh]

Not really, that only comes in handy when we have to resolve some issue with the project setup, but we can deal with that on a case-by-case basis.

[BigLep]

@Stebalien:

But do they need immediate write access to this repo?

To be clear, this isn't giving them permission (see discussion about the role of codeowners in thie repo here).

The whole of this file is affectively saying that ipdx is needed for any changes made outside https://github.com/filecoin-project/github-mgmt/blob/master/github/filecoin-project.yml . I think that is good. If anyone is making github-mgmt setup changes (which happens in the directories outside of filecoin-project/github-mgmt/github, then they should be engaged.)

(No further action planned by here, but feedback/ideas welcome.)

I'm mostly concerned about them already being a massive target

Fair. To be clear on this, the ipdx team as a whole doesn't have write access to this repo or any other I don't think. @galargh individually is an org owner/admin and part of github-mgmt-stewards (according to this proposed PR), so I agree he's a big target (as are the other couple of owners - which is why I'm trying to limit that set of people).

Potential action: remove @galargh from being a org owner or github-mgmt steward and replace him with someone else. I didn't opt for that in this proposal/PR because I think the risk of his account being compromised is outweighed by if crap-hits-the-fan that we have someone observant, skilled, and knowledgable with github tools take action. I'm happy to change course though.

[galargh]

Is there any way to make this into a two-key system? I.e.:

1. Require two approvals from code owners to merge changes to this repo. Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.
2. Add more code owners (i.e., not just two).

That way we have no single point of failure?

It would be the easiest to just require 2 approvals - it's as easy as changing a setting in branch protection rules. We can also require reviews from CODEOWNERS.

[smagdali]

I'm good with my personal permissions being reduced, but I think it still makes sense for someone from the Foundation to be an owner? I'll defer to @relotnek , but we should probably also include Baldy in the security-managers.

[BigLep]

I'll work on responding to the feedback in approximately an hour.

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

[smagdali]

can we add @relotnek and @parthshah1 to this discussion?

[BigLep]

@Stebalien: responding to comments above...

Role of CODEOWNERS in this repo

I know you weren't asking about this, but to be clear, the reason we have a CODEOWNERS in this repo is so those folks get added to all PRs in the repo as required reviewers. This serves two purposes:

1. Notify the CODEOWNERS automatically
2. Enforcement via branch protection rule to ensure get an approval from a CODEOWNER.

(I didn't realize we didn't have "Require review from Code Owners" enabled for this repo. I have enabled it manually through the UI since this isn't showing up in github-mgmt currently. I put a screenshot below of the branch protection rule UI for master now after my change.)

Add more code owners (i.e., not just two).

The current CODEOWNERS has two teams (github-mgmt-stewards and ipdx) which both have multiple people behind them. Are you worried we only have two teams, or that we don't have enough people behind those teams?

Ideally we'd only require one approval if the submitter is also a code owner, but I'm not sure how easy this is.

There unfortunately isn't an out-of-the-box way to require 2 approvals by default, but only 1 if the author is a CODEOWNER. There are various threads about this online, but I think https://github.com/orgs/community/discussions/84831 most sucinctly describes the issue. It also outlines potential steps one could take to build more smarts with GitHub Actions.

Require two approvals from code owners to merge changes to this repo.

Given the limitation above, I'm weary of requiring two approvals until we create the smarter approval/enforcement flow.

Another option would be to create a new team: github-mgmt-reviewers . This group could have non-write/push access and thus we'd be more comfortable adding more people to it (e.g., more folks from FF, FilOz, ChainSafe, SEAD) and then increase the number of approvers to two. Merging would still be restricted to the github-mgmt-stewards group, who is expected to have good judgement and be versed in the tool.

---

I'm happy to create (and action) backlog items for the ideas above. I'm thinking not to block this PR on them though since this isn't a one-way door, and we can also observe in practice how important these extra/smarter approval levels are. (Devil's advocate: wait-and-see may not be smart as you may have already had a major event/compromise.)

---

[BigLep]

@smagdali:

I think it still makes sense for someone from the Foundation to be an owner.

Ok, I'm personally not hard-opposed, but what value add do you see here vs. the few people that are now proposed? With the proposal here, we've got a few people who will see notifications and can bypass this whole github-mgmt system if necessary. As part of github-mgmt stewards, you can also escalate your permissions to an owner if needed.

Anyways, if you still think its good for FF to have direct owner representation, let me know. I assume I should just add you back.

we should probably also include Baldy in the security-managers

Sure. I don't know their login though. Do you want to add a github suggestion so I can commit it (or put it here)? (I won't plan on blocking the merge for this though - you/they/we can always do a followup with it.)

can we add @relotnek and @parthshah1 to this discussion?

Sure. This PR is public. They can comment at will, and they were @mentioned in the original PR description, so should have been receiving notifications.

[BigLep]

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

It looks like their ignored resources as defined in https://github.com/filecoin-project/github-mgmt/blob/master/terraform/resources_override.tf . I think we should do a separate PR after this with any additional resources we want to synchronize as this will bring in a lot of changes. From this PR, two things I wish had been accessible via github-mgmt were repo branch protection rules and team visibility.

[BigLep]

2024-08-27 status:

• I've responded to all comments at this point.
• No hard-nos or major-changes suggested but also no approvals yet either.
• If approvals come in today or tomorrow (2024-08-28), I'll plan on merging 2024-08-28. Otherwise I'll work through any new feedback that comes in and seek approvers.

[galargh]

I'll work on responding to the feedback in approximately an hour.

@galargh: what do we need to do so that branch protection rules show up in github-mgmt? If we make any adjustments to number of approvals, I'd like to ideally have a log/review of that.

https://github.com/filecoin-project/github-mgmt/blob/master/docs/HOWTOS.md#start-managing-new-resource-type-with-github-management

The resource is github_branch_protection. And you can manage which properties of the resource are ignored via - https://github.com/filecoin-project/github-mgmt/blob/master/terraform/resources_override.tf#L30

[anorth]

The intentions etc all seem fine to me. I still see GitHub complaining about the reference to filecoin-project/ipdx, which doesn't exist. I assume this is ok because after this PR merges the team will exist.

For reference:

[BigLep]

2024-08-28 update: I have pushed some commits that have done the following:

1. Broaden and diversify the org ownership a bit more. This was done by:

• Add @magik6k
• Retain @anorth
• Maintain @BigLep (me) at least through the year

2. Created a github-mgmt-approvers team with:

• @rjan90
• @Stebalien
• @willscott
  This team has triage permission to the repo and are also CODEOWNERS. This helps widen the net of people who will get automatically notified about changes and can give approval.

The rationale for these people is in the PR.

The main item that isn't fully addressed here is increasing the reviewer/approval required approvers to 2 approvers (ideally with smart branch protection to only require 1 reviewer if the author is also a CODEOWNER). This topic was covered more in comment above. I have a backlog item to get the "smart" branch protection in place before increasing the number of approvers: #65

In terms of next steps:

1. Give more time for this to be reviewed and collect feedback
2. Merge this next week, Wednesday, 2024-09-04, if no major feedback (and assuming get approval)
3. Tackle Require 2 approvals with "smart" branch protection #65

I believe I have updated the issue description accordingly as well.

[BigLep]

I still see GitHub complaining about the reference to filecoin-project/ipdx, which doesn't exist. I assume this is ok because after this PR merges the team will exist

Yeah, that's right @anorth . Thanks for reviewing. I also pushed some additional changes per #61 (comment)

[willscott]

I'm okay being a github-mgmt reviewer for this org

[relotnek]

I'm good with my personal permissions being reduced, but I think it still makes sense for someone from the Foundation to be an owner? I'll defer to @relotnek , but we should probably also include Baldy in the security-managers.

At a minimum we should have Baldy for operational management / billing related items, and I think it would be good to note who else is performing those duties within the org

[jennijuju]

At a minimum we should have Baldy for operational management / billing related items, and I think it would be good to note who else is performing those duties within the org

IIUC this integration is more about org repo perm management, less about billing like admin operations and so on. If you can provide a description of baldly like bigleps did in his PR, we may evaluate it then.

[jennijuju]

Further changes can be proposed via new PRs

[BigLep]

This got merged while I was out. No objections from me. It does mean that I didn't get to #65 beforehand. I have that on my personal backlog. At this point, I'm going to wait and see how much we wish we had this over the next month before spending time on it. Please flag if you think we need it sooner.

I'll now turn to the followup tasks in #47