Open nottrobin opened 4 years ago
@nottrobin generally perfect... some possible exceptions
@pmahnke aren't the needs of both people solved through being members of teams added to individual repositories? Presumably even David Calle doesn't actually need access to literally every repo.
The context for this policy (which I don't think I mentioned to you yet) is because I asked Joe about keeping credentials in GitHub for the purposes of using GitHub Actions for e.g. publishing Python packages. The trouble is:
Anyone with write access to a repository can create, read, and use secrets.
Joe said this would be okay as long as it was definitely only members of Canonical who had write access and preferably only members of our team.
For the purposes of this particular use-case, the repos we would need to be careful with are anything published to PyPi, but you can at least imagine the same model being used for NPM packages (most prominently, Vanilla), and if this goes well who knows how many other things we might want to do with other repositories.
If setting labels is the chief need we have, we could look into supporting that through a bot or connected service of some type. I've seen that on other projects, kinda like what the stalebot does.
I've discovered that it's pretty trivial to write a GitHub action to add a label based on what someone writes in a comment (here's my example). We may even be able to restrict this to certain usernames. This should mean it's quite easy to provide a way for e.g. Nick to update labels without being added to a repository.
In related news, I also found this which could be handy: https://github.com/marketplace/pr-label-enforcer
Kit ran into: https://github.com/actions/labeler/issues/12
@squidsoup: someone has proposed a workaround using https://github.com/marketplace/actions/periodic-labeler.
Write this up properly: