[Contrib] Repo permissions and teams

Hi everyone. Just following with the repo permissions discussion originally started here: https://github.com/theopensourceway/guidebook/issues/90 So my opinion is very much from an organisational governance so this may reflect my proposal. I’m happy to adapt as the project’s governance hasn’t yet been finalised. Currently new users (lets say users instead of members as this is a term used in GitHub) invited to the opensourceway organisation default to being Member. These users will be able to clone and pull all repos the organisation owns – currently that would be guidebook and theopensourceway_old_website “By default, members of an organization will have Read permissions to the organization's repositories.” This “green room” allows the owners to allocate higher level of permissions if and when required. I think we should keep this default whilst teams are being decided and when more teams are being added. Just to note that there are both “base permissions” and “repository permissions” allowing more refinement of access for members of the organisation (or external collaborators) specific to a repo. The above suggested Read permission would be the base permission of the organisation. To apply repository permissions I would suggest we use teams with the appropriate access. https://help.github.com/en/github/setting-up-and-managing-organizations-a... From least access to most access, the permission levels for an organization repository are: • Read: Recommended for non-code contributors who want to view or discuss your project • Triage: Recommended for contributors who need to proactively manage issues and pull requests without write access • Write: Recommended for contributors who actively push to your project • Maintain: Recommended for project managers who need to manage the repository without access to sensitive or destructive actions • Admin: Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository Currently there is only really a need for the Triage where members can: • Assign labels, issues, and PRs • Apply milestones • Request PR reviews See more of a detail breakdown here: https://help.github.com/en/github/setting-up-and-managing-organizations-a... However Triage can not physically push to the repo i.e. merge or force push to that repo or branch directly. They can, like other users, create a Pull Request from a forked repo and follow the review process. This maybe considered too restrictive but I feel its acceptable that authors themselves, who wrote the piece, are not permitted to push to the repo – it would imply that a review hasn't taken place. Ideally it would be the review team that would say OK after some back and forth and they themselves merge the author’s content in. This implies that that there would be a team of editors. Editors themselves would have the Write permission which of course grants more permission including: • Push to the contributor’s branch (easily) • Lock conversations • Submit reviews that affect a PR’s mergeability (this feature flags when PRs shouldn’t be merged) • Apply suggested changes to PRs Of course members can be added to multiple teams with the more permissive level being applied. It really comes down to the teams and what roles they play in the repo and gradually adding more teams if and when required. Currently I can envision the below teams based on the current flow of the workflow process: • Authors: members of the organisation that have been assigned as author or co-author of a chapter. They are also able to assist with labeling issues to help other authors on boarding. • Editors: members of the organisation that can perform editorial reviews on author’s contributions permitting successful contributions to be merged into the repo. These teams are very simple and serve a very distinct role in the project, but we should also consider the glue that keeps the repo going identifying that group of members. Usually we would have the term “core” team that do a wide range of things outside the scope of the current authors and editors. But at the moment I think there isn’t a current need to identify that but something to consider when the project becomes more mature. Another note that Outside collaborators (those not invited to the organisation) can be invited to a repo’s team in case they wish not to be added to the opensourceway organisation. Lastly only owners can assign repositories to teams and therefore manage team access (though I believe members of an organisation can create teams). Here are steps to do this here: https://help.github.com/en/github/setting-up-and-managing-organizations-a... Any thoughts would be much appreciated!