Clean up infrastructure permissions #476

haydentherapper · 2024-08-08T22:02:21Z

Removed inactive PGI members
Consistently make sigstore-oncall team maintain, not admin or push
helm-charts helm team to maintain, not admin
scaffolding-codeowners to maintain, not admin
Removed collaborators that were duplicated in team memberships
Clarified team descriptions for helm vs helm-sigstore-codeowners

Summary

Release Note

Documentation

github-actions · 2024-08-08T22:03:58Z

🍹 `preview` on sigstore-github-sync/sigstore/github-prod

Pulumi report

  Previewing update (sigstore/github-prod)

View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/4a793abc-9ca4-42de-b5c3-fb7d0ad6653f

@ Previewing update.....
pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod]
  ~ github:index/team:Team: (update) 🔒
      [id=5291354]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/team:Team::helm]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ description: "Helm Maintenance" => "Team for Helm charts for Sigstore infrastructure"
  ~ github:index/team:Team: (update) 🔒
      [id=4807653]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/team:Team::helm-sigstore-codeowners]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    + description: "Team for helm-sigstore plugin"
  ~ github:index/teamMembership:TeamMembership: (update)
      [id=5291354:sabre1041]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamMembership:TeamMembership::sabre1041-helm]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ role: "maintainer" => "member"
  + github:index/teamMembership:TeamMembership: (create)
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamMembership:TeamMembership::bobcallaway-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      role      : "member"
      teamId    : "6693572"
      username  : "bobcallaway"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=5291354:helm-charts]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::helm-charts-helm]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=6693572:helm-charts]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::helm-charts-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=5291354:helm-sigstore]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::helm-sigstore-helm]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "admin" => "maintain"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=6693572:public-good-instance]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::public-good-instance-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
@ Previewing update....
  ~ github:index/branchProtection:BranchProtection: (update)
      [id=BPR_kwDOFotDCM4DA1RL]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-main]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ restrictPushes: [
        ~ [0]: {
                ~ pushAllowances: [
                    ~ [0]: "U_kgDOByoNQQ" => "T_kwDOBDzYIc4AYVWd"
                    ~ [1]: "T_kwDOBDzYIc4AYVWd" => "MDQ6VXNlcjg2ODM3MzY5"
                    ~ [2]: "MDQ6VXNlcjg2ODM3MzY5" => "T_kwDOBDzYIc4AZiLE"
                    + [3]: "U_kgDOByoNQQ"
                  ]
              }
      ]
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=6693572:root-signing]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::root-signing-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
  ~ github:index/branchProtection:BranchProtection: (update)
      [id=BPR_kwDOKlCAEM4DA1SW]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-main]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ restrictPushes: [
        ~ [0]: {
                ~ pushAllowances: [
                      [0]: "T_kwDOBDzYIc4AhiMd"
                      [1]: "MDQ6VXNlcjg2ODM3MzY5"
                    + [2]: "T_kwDOBDzYIc4AZiLE"
                  ]
              }
      ]
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=6693572:root-signing-staging]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::root-signing-staging-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=6693572:scaffolding]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::scaffolding-sigstore-oncall]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "push" => "maintain"
  ~ github:index/teamRepository:TeamRepository: (update)
      [id=5757921:scaffolding]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::scaffolding-scaffolding-codeowners]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
    ~ permission: "admin" => "maintain"
@ Previewing update....
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=scaffolding:cpanato]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::scaffolding-cpanato]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "scaffolding"
      username                 : "cpanato"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:cpanato]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-cpanato]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "cpanato"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=helm-charts:cpanato]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::helm-charts-cpanato]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "helm-charts"
      username                 : "cpanato"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:haydentherapper]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-haydentherapper]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "maintain"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "haydentherapper"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:TomHennen]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-TomHennen]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "triage"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "TomHennen"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:hectorj2f]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-hectorj2f]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "maintain"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "hectorj2f"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=helm-charts:sabre1041]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::helm-charts-sabre1041]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "helm-charts"
      username                 : "sabre1041"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=scaffolding:priyawadhwa]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::scaffolding-priyawadhwa]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "scaffolding"
      username                 : "priyawadhwa"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:bobcallaway]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-bobcallaway]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "admin"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "bobcallaway"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=helm-charts:k4leung4]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::helm-charts-k4leung4]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "maintain"
      permissionDiffSuppression: false
      repository               : "helm-charts"
      username                 : "k4leung4"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:k4leung4]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-k4leung4]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "push"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "k4leung4"
  - github:index/repositoryCollaborator:RepositoryCollaborator: (delete)
      [id=public-good-instance:vaikas]
      [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::public-good-instance-vaikas]
      [provider=urn:pulumi:github-prod::sigstore-github-sync::pulumi:providers:github::default_6_2_3::dfb01c0f-bb2a-45c2-9d92-e6152b5cee06]
      permission               : "push"
      permissionDiffSuppression: false
      repository               : "public-good-instance"
      username                 : "vaikas"
Resources:
  + 1 to create
  ~ 13 to update
  - 12 to delete
  26 changes. 578 unchanged

* Removed inactive PGI members * Consistently make sigstore-oncall team maintain, not admin or push * helm-charts helm team to maintain, not admin * Change instance of team maintainer to member (makes sure all changes are through pulumi) * scaffolding-codeowners to maintain, not admin * Removed collaborators that were duplicated in team memberships * Clarified team descriptions for helm vs helm-sigstore-codeowners Signed-off-by: Hayden Blauzvern <[email protected]>

bobcallaway

a big change but i think lgtm

haydentherapper requested review from a team as code owners August 8, 2024 22:02

haydentherapper requested a review from bobcallaway August 8, 2024 22:02

haydentherapper force-pushed the cleanuppgi branch from 6ccce68 to e83a711 Compare August 8, 2024 22:05

bobcallaway approved these changes Aug 9, 2024

View reviewed changes

haydentherapper merged commit b819936 into sigstore:main Aug 9, 2024
2 checks passed

bobcallaway mentioned this pull request Aug 12, 2024

Remove some required checks from root-signing for migration #477

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clean up infrastructure permissions #476

Clean up infrastructure permissions #476

haydentherapper commented Aug 8, 2024

github-actions bot commented Aug 8, 2024 •

edited

Loading

bobcallaway left a comment

Clean up infrastructure permissions #476

Clean up infrastructure permissions #476

Conversation

haydentherapper commented Aug 8, 2024

Summary

Release Note

Documentation

github-actions bot commented Aug 8, 2024 • edited Loading

🍹 preview on sigstore-github-sync/sigstore/github-prod

bobcallaway left a comment

Choose a reason for hiding this comment

github-actions bot commented Aug 8, 2024 •

edited

Loading

🍹 `preview` on sigstore-github-sync/sigstore/github-prod