zcrisler
commented
2 years ago Related to CTO SCOE build assessment requirements CASMINST-3366 and CASMINST-3369.
Open mtupitsyn opened 2 years ago
zcrisler
commented
2 years ago Related to CTO SCOE build assessment requirements CASMINST-3366 and CASMINST-3369.
mtupitsyn
commented
2 years ago Related to CTO SCOE build assessment requirements CASMINST-3366 and CASMINST-3369.
Added these to "Internal References" section.
jsollom-hpe
commented
2 years ago I support this.
Abstract
Store most important configuration settings for GitHub teams and repositories in git, and run a periodic task which synchronizes configuration with actual GitHub config via REST API.
Problem Statement
With many people/teams having administration rights on GitHub repositories, it becomes hard to coordinate and monitor changes to repos and teams configuration. With configuration stored in git, we'll have centralized view and clear ownership of each change.
Internal References
External References
Proposed Solution(s)
.github)Note: team which has write permission to IaC repo has write permission to everything else. IaC process must ensure membership of admin group and assignment of only admin group to IaC repo itself.
Impact of Action/Inaction
Relying on current way of configuring repos/teams (through web ui, on per-repository basis) is prone to misconfiguration and complicates audit. Overall this introduces security risk, which is especially critical for public repositories.
Further Information
Infrastructure as Code
Suggested Reviewers
Comment Period
Comment period for this proposal shall close on Nov 10, 2021.