ER: Remove inactive members from team resources

hackforla / website

Hack for LA's website

https://www.hackforla.org

GNU General Public License v2.0

324 stars 763 forks source link

ER: Remove inactive members from team resources #4541

Closed JessicaLucindaCheng closed 7 months ago

JessicaLucindaCheng commented 1 year ago

Note: This issue came from the Task List Dev Leads.

Emergent Requirement - Problem

Issue Description

Write an issue to figure out how to remove developers marked inactive in our roster from all team resources.

Update roster

First, we need to make sure our roster is up to date and mark any developers who are no longer active as inactive in the roster.

Clean up GitHub teams

Before removing anyone from a team, make sure they are on the website team in GitHub (https://github.com/orgs/hackforla/teams/website) already, which gives them only read access to the repo. This makes sure it doesn't mess up any work they did (issues they were assigned to and completed, prs they opened, etc). In the past, people may not have been added to the website team in GitHub when they joined so that's why we need to check that they are on the website team in GitHub.
Then do a clean up of teams in GitHub, including
- Downgrading inactive maintainers to just members on the website team in GitHub (https://github.com/orgs/hackforla/teams/website).
- Removing inactive members from the following teams:
- website-write: https://github.com/orgs/hackforla/teams/website-write
- website-merge: https://github.com/orgs/hackforla/teams/website-merge
- website-admins: https://github.com/orgs/hackforla/teams/website-admins

Offboard from other resources

See the Offboard template section of #3175 for all the other resources junior developers need to be offboarded from
See the Offboard template section of #2689 for all the other resources merge team members and tech leads need to be offboarded from

Who was involved

@JessicaLucindaCheng
@SAUMILDHANKAR

What happens if this is not addressed

Inactive developers maintain a level of access to our repo that they don't need (such as write or admin access) and it may make our repo less secure.

Resources

Recommended Action Items

[x] Make a new issue
[x] Discuss with the team
[ ] Let a Team Lead know

Potential solutions [draft]

t-will-gillis commented 1 year ago

@JessicaLucindaCheng @ExperimentsInHonesty @roslynwythe

I believe but am not entirely sure that the schedule-thu-1100 action is checking for any activity (<-- as defined by 'true-github-contributors') over the last 30 days from members and removing them from 'website-write' if no activity is found.
I believe that schedule-monthly is also preparing a list of inactive members but is only generating a report to notify us of who the inactive members are. I don't yet see a timeframe for inactivity (though it could be in the GHA somewhere), and per #4545 >"This script calls the Github API in various ways and gets a list of 'website-write' team members who do not have any active issues." I am not sure how helpful that is- will need to explore a little further to see if the action is only looking for active issues or if there are additional criteria involved. (To me, I think 'active member' should mean more than only 'active issues')

I believe that these two GHAs are supposed to do roughly the same thing, and that either could be modified to accomplish #4541 as well:

I think that the schedule-thu-1100 might be a little more useful, but it is also nice that schedule-monthly actually generates a report. It makes sense to me that we ultimately combine/ reduce this to only one GHA that runs once a month.
I think it will be useful to confirm:
- which of the functionalities we want- that is do we want the action to delete people automatically and create a report ,
- as it says above, that 'inactive members' should be removed from 'website-merge', 'website-write', and 'website-admin',
- as it says above, that team members should never be removed from 'website', and
- what is the timeframe we want to use for inactivity- 30, 45, 60 days?

t-will-gillis commented 1 year ago

@ExperimentsInHonesty @JessicaLucindaCheng @roslynwythe As I am testing the GHAs for removing inactive members, there are edits to member access that I believe should be made/ or discussed. I do not have permissions to make the changes myself:

On the website-write, child team member page:
- Cynthia Kiser: should their name be here, or elevate them to permanent "Maintainer" status?
- jdingeman off of Merge Team, should be off of child team?
- Brian Mui off of Merge Team, should be off of child team?
On the website-merge page:
- jdingeman still listed (I was able to demote him to a regular member)
On the website-admin page:
- jdingeman still listed (and as 'Maintainer')
On the website page, I do have access so I changed membership from 'Maintainer' to regular member:
- Phillip Sanchez << already done
- MJ Shelton << already done
On the "hfla-site-merge" Slack channel the following are no longer on Merge Team:
- Arpita
- Brian Mui
- Chris Menke
- Justin Dingeman
- Kathryn Silva Conway
- MJ Shelton
- Phillip Sanchez
- Not sure about: Akram Nour, Bishr Aboobaker, Christopher Kong ???
- (I would vote to keep Matt Pereira here, since he still occasionally helps out)

ExperimentsInHonesty commented 1 year ago

@t-will-gillis I have updated, see my notes

On the website-write, child team member page:
- Cynthia Kiser: should their name be here, or elevate them to permanent "Maintainer" status?
- Permanent Maintainer status. She is on here https://github.com/orgs/hackforla/teams/website-maintain
- jdingeman off of Merge Team, should be off of child team?
- remove from merge and let the script remove him from write when it gets to him.
- Brian Mui off of Merge Team, should be off of child team?
- remove from merge and let the script remove him from write when it gets to him.
On the website-merge page:
- jdingeman still listed (I was able to demote him to a regular member)
- let the script remove him from write when it gets to him.
On the website-admin page:
- jdingeman still listed (and as 'Maintainer')
- I have removed
On the website page, I do have access so I changed membership from 'Maintainer' to regular member:
- Phillip Sanchez << already done
- MJ Shelton << already done
On the "hfla-site-merge" Slack channel the following are no longer on Merge Team:
- Arpita
- leaving because she sometimes chimes in
- Brian Mui
- self removed
- Chris Menke
- removed
- Justin Dingeman
- removed
- Kathryn Silva Conway
- removed
- MJ Shelton
- self removed
- Phillip Sanchez
- self removed
- Not sure about:
  - Akram Nour
  - removed
  - Bishr Aboobaker
  - removed
  - Christopher Kong
  - removed
- (I would vote to keep Matt Pereira here, since he still occasionally helps out)
- ok

ExperimentsInHonesty commented 1 year ago

What is the next step for this ER?

P.S. if any of the cleanup will not be addressed by the script, please write back here and @ me and @roslynwythe so that we can help remove.

t-will-gillis commented 10 months ago

@ExperimentsInHonesty @roslynwythe

Would someone with admin access to the 'website-write: child' team please make the following changes? I do not have this access manually and so far in testing I cannot seem to access the 'child' team- maybe my token doesn't have permission? Sidenote: it may be that the HACK_FOR_LA_BOT has the admin access to child teams make these changes but I can not tell yet.

cnk : please elevate cnk to 'maintainer' status on 'website-write: child' team
bootcamp-brian (Brian Mui) please remove from the 'website-write: child' team
jdingeman (Justin) please remove from the 'website-write: child' team
jdingeman is still listed as a member of the 'website-merge' team. Could someone manually remove jdingeman from 'website-merge'?
bootcamp-brian is still listed as a member of the 'website-admin:child' team. Can someone manually remove bootcamp-brian from 'website-admin: child'?

roslynwythe commented 9 months ago

@ExperimentsInHonesty @roslynwythe

Would someone with admin access to the 'website-write: child' team please make the following changes? I do not have this access manually and so far in testing I cannot seem to access the 'child' team- maybe my token doesn't have permission? Sidenote: it may be that the HACK_FOR_LA_BOT has the admin access to child teams make these changes but I can not tell yet.

cnk : please elevate cnk to 'maintainer' status on 'website-write: child' team

bootcamp-brian (Brian Mui) please remove from the 'website-write: child' team

jdingeman (Justin) please remove from the 'website-write: child' team

jdingeman is still listed as a member of the 'website-merge' team. Could someone manually remove jdingeman from 'website-merge'?

bootcamp-brian is still listed as a member of the 'website-admin:child' team. Can someone manually remove bootcamp-brian from 'website-admin: child'?

@ExperimentsInHonesty I removed jdingeman from the website-merge team, but my access were rights were not sufficient to allow me to make any of the other changes, so I need to ask you to do those.

t-will-gillis commented 9 months ago

also noticed that :

Please remove bootcamp-brian from 'website-codeofconduct' team
Please remove bootcamp-brian from 'website-maintain:child' team

This is resolved- hiding comment.

t-will-gillis commented 9 months ago

Notes from 1/15/24 Meeting:

cnk: Will will add filter to #5969 to exclude members of 'website-maintain' team from the activity checks.
bootcamp-brian and jdingeman are both resolved now.

ExperimentsInHonesty commented 8 months ago

Hi @t-will-gillis where are we with

this action items from 2024-01-15 https://github.com/hackforla/website/issues/4541#issuecomment-1893029502
- [x] Will will add filter to https://github.com/hackforla/website/issues/5969 to exclude members of 'website-maintain' team from the activity checks.
Is there an issue to change the status of members on the roster from Active to Inactive?
Defining any other actions from the offboarding issues, that will complete this ER
- 2689
- 3175

t-will-gillis commented 8 months ago

Hi @ExperimentsInHonesty Update 1/28/24:

done: The schedule-monthly.yml gha now adds website-maintain members as "permanent contributors" so that the checks don't try to notify or remove them
done: All of the other previously identified members have been removed from "Maintainer" status and/or the child teams
done: The schedule-monthly.yml automation is checking whether inactive members have open issues besides "Pre-work Checklist" and if so, preventing the inactive members from being removed. Since we are not considering the prework issues, this next run will remove many people from the write team access.
done: Manually copied current 'website-write' into the Website Team Roster, then wrote a function to automatically change "Status: Active" if member is on 'website-write' and "Inactive" otherwise.
- explore whether the gha is able to write to the Website Team Roster?
- for future: If a "Lead" does not have write access, they are shown "Inactive" for status. Obviously this can be changed- but is it better to leave "Inactive" so we know that they do not have write access?
- lock function in "Status" column to prevent accidental editing?
- highlighted duplicates, connected github handle with member in 4-5 cases, 3 'active' members not on roster
For #2689 and #3175 - @roslynwythe @JessicaLucindaCheng ?

JessicaLucindaCheng commented 8 months ago

@t-will-gillis

For https://github.com/hackforla/website/issues/2689 and https://github.com/hackforla/website/issues/3175 - @roslynwythe @JessicaLucindaCheng ?

Since it has been a long time since I have onboarded or offboarded anyone, I don't think I'm the most up-to-date with all the current onboarding and offboarding processes for people on the team. I will let @roslynwythe take the lead on that since I think she has been doing most of the onboarding and offboarding of people and has the most current knowledge of the processes.

ExperimentsInHonesty commented 8 months ago

Summary of the items that remain (draft)

[x] ~remove the user from the Google Drive (see notes below about tables team scripts)~
- WG: Done as of 2/23: via a Google Apps Script using hackforla-bot@gmail.com account, removing "Inactive" and unaffiliated members now, scheduled to run once monthly
- WG: ~Note: I have been manually updating membership statuses, linking up emails to github handles, and more to clean up the Website Drive, but notice that Rabia is doing the same thing. So as not to waste time duplicating efforts, I have stopped manually updating.~ Script running/ auto-updates now
[x] ~write a GHA if possible and if not a Google app script to update the users status as inactive when the member is removed from the repo.~
- WG: Done as of 2/19: via a Google Apps Script using hackforla-bot@gmail.com account for the token to access GitHub.
confirm that the solution does the following:
- [x] ~Makes sure the user on the write team, is also on the read team~
- WG: Done please note however: schedule-monthly.yml checks if user is on 'website' team prior to removal and adds them if they aren't.
- [x] ~remove the user from the write team~
- WG: Done. schedule-monthly.yml doing this
- [x] if user has maintainer status on the write team it removes it.
- WG: Update: discussed at 2/26 meeting: won't use maintainer to block. Automation will completely remove the "Inactive" + "maintainer" from the 'website-write' team.
  - ~this is a different behavior than what we have been doing. Currently, if user has "maintainer" status they are protected from removal- the automation logs comment that "This inactive member is a 'Maintainer': xxxxxx" and then skips them~
- [x] ~updates the roster, to make the member be inactive~
- WG: Done as of 2/19. See above also. Script is automatically updating column B on the Roster, once daily (at 9:32 pm for the last several days)
- [x] ~close their prework issue~
- WG: This will be incorporated into #6193
- WG: I reviewed Project Board and closed all open preworks from inactive members - there are no 'orphans' left
- [ ] unassign them from any open issue they are assigned to and move the issue to ??? and add ??? label
- WG: Not done as shown
  - 2/25 Current automation will log the inactive member and the number or the open issue to which the inactive member is assigned, so that any may be reviewed. Incorporated into #6193
  - As an example: if we do this then the bot would be removing 'wanyuguan' & 'n2020h' from 'website-write' and unassigning them from their issues- Is this what we want to have happen?

Things this won't do for now (merge or lead specific)

addressed by https://github.com/hackforla/website/issues/2689
Items
- remove from 1Password
- Remove from forwarding emails
- Remove from Slack channels
- Remove from Figma
- Remove from Calendar invites
- Remove them from the team WIKI page
- Remove from the hack for LA website
- Remove access to Google Data Studio: Hack for LA Organizational Dashboard
- Revoke access to Zoom Meeting Setup spreadsheet

t-will-gillis commented 8 months ago

UPDATE 2/11/24:

Closed all Pre-work Checklists from Inactive members.

Google Sheets 'Roster' file: Up and running as of 2/19

TL;DR Automation is running as of today,

The working Google Apps Script file and keys are accessible/ editable only through the Gmail account for hackforla-bot@hackforla.org (credentials same as for email).
The automation runs daily at 9-10 pm, and checks for the list of "Active" users on the 'website-write' team, then logs the list to a Google Sheet inside the bot account.
The Roster imports this list from the bot account into Column 'B'
(The automation is purposefully attached to the limited-access hackforla-bot account so that GitHub and Google keys/ secrets are not easily accessible)
Column 'F/G' "Permissions" is NOT updated, still manual
See comments above also.

~APIs - Have written a Google Apps Script to call GitHub and update members in my repo. Need to transfer script to the Roster, and authorize the script without making the token visible (via an environment variable? if someone know how to do this... ).~
- ~Col B 'Status':~
- ~Google Apps Script is ready to be transferred to Roster: whose account, hiding access key?~
- ~From 2/12 meeting: use "GitHub Bot" account~
- ~Snag is that not all of current "Leads" are "Active" --> should all of these people be leads?~
- ~Col F 'Permissions':~
- ~Script could update 'Merge Team' easily, but not 'Lead's~
~Cols M-Q: Need anything here?~
~I mis-stated the above regarding the "Lead" designation for 'Permissions'- my question should be: If someone is marked as a "Lead" on the Roster, should this be tied to some aspect of the Website teams? For example, some people that are identified as "Leads" are gone completely from the website (Alex Stubbs, Harish) and some are normal members with no special status (Isaac Cruz, Saumil).~
- ~Note I am only asking the question if you would like me to do something. If not, I can ignore also.~

Google Drive 'HfLA.org Website' Up and running as of 2/23

The working Google Apps Script file and keys are accessible/ editable only through the Gmail account for hackforla-bot@hackforla.org (credentials same as for email).
- The automation currently set to run monthly at 3 am on the 2nd.
- The automation runs daily at 9-10 pm, and checks for the list of "Active" users on the 'website-write' team, then logs the list to a Google Sheet inside the bot account.
- The Roster imports this list from the bot account into Column 'B'
- (The automation is purposefully attached to the limited-access hackforla-bot account so that GitHub and Google keys/ secrets are not easily accessible) ~TL; DR: File is partially, manually updated as of today. Can finish manually except need guidance on access settings.~
~See previous comment. I am abandoning manual updates to the Drive since Rabia has now also started doing the same thing~
~I need to explore further about using scripts to update Drive access.~ ~Update from 2/12 meeting: WG given access to Tables. There are GA Scripts for changing/adding members to Drive.~
~Are there other members who should have or retain higher level of access? For example:~
- ~Current "Content manager"s: John Guan, Zoe Zhong, etc. (People that were given this access in the past)~
- ~Current "Contributor"s: Chelsey Beck, Adam Abundis, etc. (People that are Leads elsewhere)~
- ~Update from 2/12 meeting: If the person is "Inactive" their access to the Drive should be "Viewer". NOT CORRECT per discussion with Rabia~

~Assuming other Google Drive(s) out of scope e.g. the Admin drive~
~Assuming that updates to 1Password out of scope~
~Assuming that Figma access out of scope~
All correct, see Bonnie's comment above

ExperimentsInHonesty commented 8 months ago

Tables team scripts documentation https://github.com/hackforla/tables/blob/main/dev-docs/app-scripts.md

t-will-gillis commented 7 months ago

See comments below:

First, we need to make sure our roster is up to date and mark any developers who are no longer active as inactive in the roster.

WG: accomplished by #4788 in schedule-monthly.yml

Before removing anyone from a team, make sure they are on the website team in GitHub (https://github.com/orgs/hackforla/teams/website) already, which gives them only read access to the repo. This makes sure it doesn't mess up any work they did (issues they were assigned to and completed, prs they opened, etc). In the past, people may not have been added to the website team in GitHub when they joined so that's why we need to check that they are on the website team in GitHub.

WG: also accomplished by #4788 in schedule-monthly.yml: The GHA checks if member is on the 'website' team before removal from 'website-write', and adds them if not.

Then do a clean up of teams in GitHub, including

Downgrading inactive maintainers to just members on the website team in GitHub (https://github.com/orgs/hackforla/teams/website).

Removing inactive members from the following teams:

website-write: https://github.com/orgs/hackforla/teams/website-write

website-merge: https://github.com/orgs/hackforla/teams/website-merge

website-admins: https://github.com/orgs/hackforla/teams/website-admins

WG: Issue #6193 adding segment to remove "Inactive" members from 'website-merge' in addition to 'website-write'. It appears removal of 'website-admin' requires admin access for the bot.
WG: See also Google Sheets to ID Active Members automatically updates Website Team Roster for "Active"/"Inactive" members.
WG: See also Google Apps Script to Update Website Drive automatically updates Website Team's Google Drive access based on "Active" members, and updates Team Roster.

See comments from Bonnie above regarding other Team Resources