Set up organization level self-hosted runner groups for maap

[sujen1412]

We would like to start using github actions for our deployments which require us to set up self-hosted runners for each venue and different repositories. It would be nice to have runner groups to be able to share these runner across repos.

[wildintellect]

@sujen1412 so this would be for both public and private repositories?

How do intend to prevent malicious execution of runners with PR from Forks? https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories

Who needs to be in the group that can configure the runners? Should we make more than one runner group (aka separate from the default runner group)?

cc: @freitagb @xhagrg for review on the IMPACT side.

[sujen1412]

Yes this would be both for public and private repositories. We do not plan to use self hosted runners to trigger actions on pull request. Self-hosted runners would be used for deployments done via the deployment endpoint, a manual workflow dispatch or an approved deployment through a protected branch.

Would like to add @frankinspace and @bsatoriu as approved users as well.

[sujen1412]

We would like 3 different runner groups to start with called - dit, uat and ops.

[wildintellect]

So are you going to use Releases/Tags or full manual for triggering workflows @sujen1412 ?

[frankinspace]

Deployments will only be triggered automatically based on pushes to protected branches. Manual triggers can be sourced from feature branches (limited to DIT environment) or protected branches (develop == DIT, release/* == UAT, main == OPS).

During discussion on Jun 12; would prefer to limit the org-level runners to specific public repositories instead of all public repos. @wildintellect will investigate if this is possible. Additionally, @wildintellect will set up a runners team and include platform members to help administer the runners.

[wildintellect]

I've updated: "Fork pull request workflows from outside collaborators" to Require approval for all outside collaborators

It looks like we can manage Allowing this on specific repos. So if @sujen1412 @frankinspace can provide a list of which repos I'll enable that. I have not found a way to delegate this power yet.

[frankinspace]

We could start with just: https://github.com/MAAP-Project/maap-api-nasa https://github.com/MAAP-Project/maap-py