Skip to content

CI: Add yearly reminder issue to review maintainers #1803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 3, 2022
Merged

CI: Add yearly reminder issue to review maintainers #1803

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions .github/workflows/maintainer-permissions-reminder.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Maintainer review reminder

on:
schedule:
- cron: '10 10 10 2 *'
workflow_dispatch:

permissions:
issues: write

jobs:
file-reminder-issue:
name: File issue to review maintainer permissions
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v5
with:
script: |
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Yearly maintainer permissions review",
body: `
This is a checklist for evaluating python-tuf maintainer accounts and permissions. This issue is automatically opened once a year.

### Tasks

1. Update this list to include any new services
2. Evaluate the accounts and permissions for each service on the list. Some rules of thumb:
* Critical services should have a minimum of 3 _active_ maintainers/admins to prevent project lockout
* Each additional maintainer/admin increases the risk of project compromise: for this reason permissions should be removed if they are no longer used
* For services that are not frequently used, each maintainer/admin should check that they really are still able to authenticate to the service and confirm this in the comments
3. Update MAINTAINERS.txt to reflect current permissions

### Critical services

* [ ] **PyPI**: maintainer list is visible to everyone at https://pypi.org/project/tuf/
* Only maintainers who do releases (+potentially org admins to prevent locking the project out)
* [ ] **GitHub**: permissions visible to admins at https://github.com/theupdateframework/python-tuf/settings/access
* "admin" permission: Only for maintainers and org admins who do project administration
* "push/maintain" permission: Maintainers who actively approve and merge PRs (+admins)
* "triage" permission: All contributors trusted to manage issues

### Other

* [ ] **ReadTheDocs**: admin list is visible to everyone at https://readthedocs.org/projects/theupdateframework/
* [ ] **Coveralls**: everyone with github "admin" permissions is a Coveralls admin: https://coveralls.io/github/theupdateframework/python-tuf
`
})
console.log("New issue created.")