Manage GitHub teams permissions as code

[Alaurant]

This Pull Request enhances the process for managing team permissions. It automates the synchronization of team data, ensuring our GitHub records are always up-to-date.

Key Features

Repository Permission Updates: Once the PR is merged, it updates the team and sends an invitation if needed.

Automatic Sync: it runs every week to ensure the files’ data is in sync with the live data on GitHub.

[timja]

Some initial feedback, what testing has been done on this?

[timja]

do we think we need to add this / need it as the only way?

teams are currently done by the repository name and should be easily determinable, (there may be some outliers though and where it might be good to be able to override this)

[Alaurant]

Currently, if a YAML file doesn't include github_team, I don't take any action.
If it does include github_team, I assume there's a unique team name like github_team: abc_team, and update the developers on that team.

However, based on your description, it seems uncommon to have a unique team name specified. Is it more common for github_team to be included without a specific name, meaning the team name would default to the repository name?

Also, if I have misunderstood anything in the first part, please correct me.

[timja]

it will currently never include a GitHub team you will need to backfill those across the repository with this approach.

(not necessarily a bad thing)

Teams will almost always be unique per repository, occasionally there will be additional teams with access.

e.g. design-library-plugin has the sig-ux team with access.

and there will be other similar examples

[daniel-beck]

e.g. design-library-plugin has the sig-ux team with access.

In particular, while most teams are ${repo}-developers, there are some "special" teams spanning multiple repositories.

Also, I don't see where team repos are being managed, only team members. Would those special teams be excluded from management as code?

Similarly, this also hardcodes push permission, when there are cases where the permissions should be different. Are those also excluded?

[TheMeinerLP]

I would suggest for non-schema based groups that in the future it is moved to an extra section called: custom-groups.

[timja]

It needs to be done before go-live of the new solution, ideally as close to when the other solution is ready to merge in case changes occur again.

[Alaurant]

I've set up a new repository for the one-off backfill and updated the README with the current backfill logic and a few questions. When you have a moment, I'd appreciate it if you could take a look: https://github.com/Alaurant/OneOffSyncTool.

[timja]

Extended Permissions

1. You should be able to see all GitHub permissions with this report which might help with your permissions request: https://reports.jenkins.io/github-jenkinsci-permissions-report.json

Format

2. I wouldn't use the empty string if you can't match a person: github: "", just omit the key.

Clarification of Special Teams:

3. I'm not sure what you mean by clarification of special teams, yes its name is SIG: UX

Challenges with Multiple YAML Files for a Single Repository

4. I think only one file should be managing the GitHub permissions ideally good point

[Alaurant]

Thank you for your patience in reading and responding. The permissions report will be helpful.

Format

Following your advice to omit the key, would the entries look like this?

- ldap: Alice
- github: Bob
- ldap: Chalie
  github: Chalie

Clarification of Special Teams:

I appreciate your help on the "SIG: UX" clarification. Could you confirm if the following matches are correct?

1. cloudbees-developers: company-cloudbees-developers
2. core: Core or Core PR Reviewers?
3. security: core-security-review
4. openshift-developers: Which team corresponds to this in the provided image?

Thank you again.

[timja]

1. Yes entries would look like that
2. yes cloudbees is company-cloudbees...
3. core is Core
4. I don't think security is core-security-review, they are separate
5. there's no openshift-developers team in GitHub but I'm sure it would be a good idea.

[daniel-beck]

It is unclear to me what this is trying to accomplish and why it is added to this repository.

[daniel-beck]

This message appears to be misleading, as it claims to modify yml files, rather than use them as a reference (which seems to be what YmlTeamLoader#loadTeam does).

[daniel-beck]

This relies on every single execution being successful (assuming no infra trouble ever), which seems unsafe.

[timja]

There's a sweeper that runs once per week, I umm'ed and erred on this. Only operating on changes files will certainly be quicker, but why re-invent the wheel instead of using something like terraform which can maintain the state?

[NotMyFault]

Wouldn't terraform be a bit over the top for this PR?

[timja]

its a standard infra as code tool, rather than re-implementing the wheel, it allows more people to collaborate especially from e.g. the infra team.