search

OBOFoundry / OBOFoundry.github.io

Metadata and website for the Open Bio Ontologies Foundry Ontology Registry
http://obofoundry.org
Other
166 stars 204 forks source link

Rework GitHub Team membership and permissions #1404

Open jamesaoverton opened 3 years ago

jamesaoverton commented 3 years ago

I would like to reorganize our GitHub Teams and permissions with the primary goal of reducing the number of people with Admin permissions for our repositories, and giving everyone else just the permissions that they need (and are currently using).

We talked about this on yesterday's OBO Foundry Operations Committee (OFOC) call, and had unanimous agreement in principle. I'll spell out the details of my proposal here, and we'll try to get final approval on the next OFOC call in two weeks. Unfortunately it's a bit complex, but I'll do my best to be clear.

GitHub has two tiers of permissions, Organization and Repository, and a few permission levels within each:

The key concern is that anyone with Owner or Admin permissions can accidentally delete our repositories. While it's possible to recover the main repository contents, it turns out that a lot of other important information cannot be recovered. A secondary concern is that our current Teams are not well organized or described:

https://github.com/orgs/OBOFoundry/teams

When we migrated to GitHub about six years ago, the permission levels provided were quite coarse. At that time we made a long list of Owners and added all the members of the OBO Foundry Operations Committee to the "OBO-Admin" GitHub Team, and gave that team Admin permissions on all our repositories. That team now has more than 20 members. Many of those people may not realize that they have Admin permissions.

These lists are not public, but if you are on the list and logged in to GitHub you'll be able to see your name:

Since that time, GitHub has implemented a range of more fine-grained permissions, and we've learned more about what permissions people actually need in practise.

I propose these three GitHub Teams:

I'd like to get rid of the legacy Teams to keep the lists better organized, but that will break previous "@" mentions.

I think that the changes I'm proposing won't actually impact anybody's daily work. They're just supposed to make us a bit safer from accidents, and make permissions a bit more clear. But I admit that it's a bit complicated, and I may have overlooked something. Feedback is appreciated.

matentzn commented 3 years ago

I like this very much!

nlharris commented 3 years ago

This sounds great!

cmungall commented 3 years ago

agreed. It's complex but you made it very clear. I agree with the proposal and have no suggestions for modifications.

(I'm going to bookmark this ticket and use it as exemplar for any other large github orgs)

On Thu, Jan 14, 2021 at 8:46 AM Nomi Harris notifications@github.com wrote:

This sounds great!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OBOFoundry/OBOFoundry.github.io/issues/1404#issuecomment-760318692, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMMOMS3Q36RMEKIQXKHMTSZ4NV3ANCNFSM4WBKWLFA .

nlharris commented 3 years ago

Does anything further need to be done to approve this, or can James go ahead and implement this?

jamesaoverton commented 3 years ago

We had a preliminary discussion on an Operations call, then I worked through the details here. Some of the details are different from what I said on the call. I would like to review this once more on an Operations call before implementing. Unfortunately we've had a long gap between calls.

yongqunh commented 3 years ago

Sounds great!

nlharris commented 3 years ago

@jamesaoverton should we put this on the agenda for tomorrow?

jamesaoverton commented 3 years ago

Yes, I'll be happy to talk about it tomorrow. Thanks.

jamesaoverton commented 3 years ago

Discussed on the OFOC call 2021-02-23: There was support for this plan and no objections. I will move ahead with this when I have time.

cthoyt commented 3 years ago

@jamesaoverton I would love the ability to assign issues to @matentzn 😁 Are you planning on circling back on this soon?

jamesaoverton commented 3 years ago

Sorry, this issue will take me a few uninterrupted hours, and those are rare. As a short-term measure I gave @matentzn Write permissions and @cthoyt Triage permissions.

jamesaoverton commented 2 years ago

I haven't made the time to do this properly, but I took two steps:

  1. I created a new "OBO Foundry Operations Committed" team. All current members should be on this team, and gotten invitations just now. I gave this team Write permissions on this repo.

That involved a bunch of copy-pasting. I might have made mistakes. @nlharris or @nicolevasilevsky would you mind cross-checking those Team members against the list http://obofoundry.org/docs/Membership.html. Or do we have a more official list somewhere?

  1. I removed most people from the old OBO Admin team. Only these six remain: @balhoff @beckyjackson @cmungall @jamesaoverton @kltm @matentzn. This team has Admin rights on this repo.
matentzn commented 2 years ago

Very nice, thanks a lot of cleaning up!

jamesaoverton commented 2 years ago

In a recent discussion, we noticed that there are still many more owners than there should be. The current proposal is that only the OBO Admin team should be owners.

nicolevasilevsky commented 2 years ago

That involved a bunch of copy-pasting. I might have made mistakes. @nlharris or @nicolevasilevsky would you mind cross-checking those Team members against the list http://obofoundry.org/docs/Membership.html. Or do we have a more official list somewhere?

I think I missed this (almost a year ago). @jamesaoverton would you still like help with this?