Being repeatedly removed and re-invited as a collaborator

[ibrechin]

I was added as a collaborator on https://github.com/ministryofjustice/bai2, but after accepting the invite, within 24 hours I was removed as a collaborator and a new invite was sent out. After accepting the invite again, the same thing happened.

[AntonyBishop]

Hi @ibrechin. This would be due to - https://github.com/ministryofjustice/github-collaborators#github-external-collaborators

We need you captured in TF to stop this happening.

You can either raise the change and a PR, or if you don't have access to create a branch then provide me with the following info:

• What company/organisation do they belong to (e.g. "MadeTech", "Department for Education")?
• Access level i.e. Read, Triage, Write, Maintain, Admin
• Reason for access
• Which MoJ team/person is responsible for this request? (This should be in the form Awesome Team awesome.team@digital.justice.gov.uk)
• Review date for your access (no longer than 1 year from request.

Any problems let me know.

[ibrechin]

I am captured in TF: https://github.com/ministryofjustice/github-collaborators/blob/953b9144368b5c0097fdef5b7b653b53c1e0b4b1/terraform/bai2.tf

I am assuming that the fact that I am captured in TF is why some automated process keeps on removing me and then re-inviting me.

[AntonyBishop]

Will investigate.

[digitalronin]

@ibrechin @AntonyBishop is this still happening?

I'm not sure what's going on here.

There are 2 ways this repo removes collaborators.

Collaborators who are defined in terraform, and then get removed (by deleting the terraform code from this repository) are removed by the Terraform apply github action.

If that happens, we see a line like this in the workflow log:

module.mojfile-uploader.github_repository_collaborator.collaborator["jriga"]: Destroying... [id=mojfile-uploader:jriga]

The other way is the Post collaborators JSON github action, which runs a script that removes all collaborators who aren't defined in terraform code.

When that happens every collaborator removed is logged like this:

Removing collaborator tomdMOJ from repository security-guidance

(There's also a "Remove a collaborator" github action, but that is only ever run manually, supplying the collaborator and repo name when the action is invoked, so it's definitely not involved here)

I've looked through all the workflow logs going back for the last 10 days, and the only relevant mention of ibrechin I can see is this:

module.bai2.github_repository_collaborator.collaborator["ibrechin"]: Refreshing state... [id=bai2:ibrechin]

That's from this run 8 days ago, and it implies that, at that point in time, ibrechin was a collaborator (defined in terraform) on the bai2 repository.

Whenever the script removes a collaborator, it creates an issue in the relevant repository, like this one. I can only see that one issue, in the bai2 repository.

Because I can't see any mention of removing ibrechin in either set of logs, and because there's only one auto-generated issue on that repo, I don't think it's this project which is repeatedly removing access to that repository.

I can see a pending invite for ibrechin in that repo: https://github.com/ministryofjustice/bai2/settings/access

Pending invites are invisible to the terrafrom code that manages our collaborators, because they don't show up in the Github API, and until you accept the invite, you won't have access.

Please try accepting that invite, and let's see if this happens again.

If it does, we can try to work through it in realtime when we can run the action and see the results immediately (@AntonyBishop I might have to leave that part to you - all of the relevant actions can be triggered via the Github UI "Run workflow" button, e.g. here, and then just keep an eye on the log output in the github UI.

[ibrechin]

I stopped accepting the invites because I was getting removed again every time, and unfortunately the last invite I received was on 21st January and when I tried to accept it just now Github said it had expired.

I can give the timestamps for when the invites were sent out (I don't know if this would be the same time that I was removed): 14th Jan - 12:13 (I think this was the initial invite) 14th Jan - 13:36 15th Jan - 05:12 21st Jan - 05:34

[ibrechin]

I have received new invites which I have now accepted. Let's see if it takes.

[ibrechin]

As of 10:28 today I appear to have been removed and sent new invites again.

[AntonyBishop]

Hi @ibrechin thanks for letting us know.

@digitalronin anything that would suggest why this happened?

[digitalronin]

@AntonyBishop You were absolutely right - the problem is the "maintain" permission.

"maintain" and "triage" won't work, because the github API only (and incorrectly) returns "pull", "push" or "admin" once you create the collaboration (see this issue comment). So, terraform always things the permission is incorrect, and recreates the collaboration on every terraform apply.

I can reproduce this problem if I set permission to "maintain" or "triage" - as soon as I accept the invitation, terraform recreates the collaboration on the next run. The two people affected by this issue are the only collaborators who were given "maintain" permissions on the relevant repositories.

Changing to "push" makes everything work fine, and it doesn't make any difference when you accept the invitation.

I've changed the affected collaborations to "push" via #117 so as soon as the users accept the latest invitations, everything should be fine.