4:15 a.m.
Hi everyone.
Just following with the repo permissions discussion originally started here:
https://github.com/theopensourceway/guidebook/issues/90
So my opinion is very much from an organisational governance so this may reflect my
proposal. I’m happy to adapt as the project’s governance hasn’t yet been finalised.
Currently new users (lets say users instead of members as this is a term used in GitHub)
invited to the opensourceway organisation default to being Member. These users will be
able to clone and pull all repos the organisation owns – currently that would be guidebook
and theopensourceway_old_website
“By default, members of an organization will have Read permissions to the
organization's repositories.”
This “green room” allows the owners to allocate higher level of permissions if and when
required. I think we should keep this default whilst teams are being decided and when more
teams are being added.
Just to note that there are both “base permissions” and “repository permissions” allowing
more refinement of access for members of the organisation (or external collaborators)
specific to a repo. The above suggested Read permission would be the base permission of
the organisation.
To apply repository permissions I would suggest we use teams with the appropriate access.
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
From least access to most access, the permission levels for an organization repository
are:
• Read: Recommended for non-code contributors who want to view or discuss your project
• Triage: Recommended for contributors who need to proactively manage issues and pull
requests without write access
• Write: Recommended for contributors who actively push to your project
• Maintain: Recommended for project managers who need to manage the repository without
access to sensitive or destructive actions
• Admin: Recommended for people who need full access to the project, including
sensitive and destructive actions like managing security or deleting a repository
Currently there is only really a need for the Triage where members can:
• Assign labels, issues, and PRs
• Apply milestones
• Request PR reviews
See more of a detail breakdown here:
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
However Triage can not physically push to the repo i.e. merge or force push to that repo
or branch directly. They can, like other users, create a Pull Request from a forked repo
and follow the review process.
This maybe considered too restrictive but I feel its acceptable that authors themselves,
who wrote the piece, are not permitted to push to the repo – it would imply that a review
hasn't taken place. Ideally it would be the review team that would say OK after some
back and forth and they themselves merge the author’s content in. This implies that that
there would be a team of editors.
Editors themselves would have the Write permission which of course grants more permission
including:
• Push to the contributor’s branch (easily)
• Lock conversations
• Submit reviews that affect a PR’s mergeability (this feature flags when PRs
shouldn’t be merged)
• Apply suggested changes to PRs
Of course members can be added to multiple teams with the more permissive level being
applied.
It really comes down to the teams and what roles they play in the repo and gradually
adding more teams if and when required. Currently I can envision the below teams based on
the current flow of the workflow process:
• Authors: members of the organisation that have been assigned as author or co-author
of a chapter. They are also able to assist with labeling issues to help other authors on
boarding.
• Editors: members of the organisation that can perform editorial reviews on author’s
contributions permitting successful contributions to be merged into the repo.
These teams are very simple and serve a very distinct role in the project, but we should
also consider the glue that keeps the repo going identifying that group of members.
Usually we would have the term “core” team that do a wide range of things outside the
scope of the current authors and editors. But at the moment I think there isn’t a current
need to identify that but something to consider when the project becomes more mature.
Another note that Outside collaborators (those not invited to the organisation) can be
invited to a repo’s team in case they wish not to be added to the opensourceway
organisation.
Lastly only owners can assign repositories to teams and therefore manage team access
(though I believe members of an organisation can create teams).
Here are steps to do this here:
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
Any thoughts would be much appreciated!
7 a.m.
Just following with the repo permissions discussion originally
started
here: https://github.com/theopensourceway/guidebook/issues/90
Thank you for this thorough analysis, Ashley! We just underwent a similar
repo (re)structuring in the Open Organization project and, jeeze, do I
wish I had had the benefit of your notes here before I jumped into that
(but hey, it all worked out).
This “green room” allows the owners to allocate higher level of
permissions if and when required. I think we should keep this default
whilst teams are being decided and when more teams are being added.>
Triage can not physically push to the repo i.e. merge or force push to
that repo or branch directly. They can, like other users, create a Pull
Request from a forked repo and follow the review process.
This maybe considered too restrictive but I feel its acceptable that
authors themselves, who wrote the piece, are not permitted to push to the
repo – it would imply that a review hasn't taken place. Ideally it would
be the review team that would say OK after some back and forth and they
themselves merge the author’s content in. This implies that that there
would be a team of editors.
Usually we would have the term “core” team that do a wide range of
things outside the scope of the current authors and editors.
I honed into these points in your assessment, Ashley, because they
address two of the same questions and challenges we were assessing in the
Open Organization community. The way we've started working there is:
- Set organization base permissions to "green room" only (read, but that's
it)
- Add anyone interested in contributing to the project to that green room,
then allocate additional permissions (typically on a per-repo basis) as
they indicate where they'd most like to make an impact.
- Authorize a "core team" with top-level Maintainer permissions to
allocated those role as they see fit.
So for our purposes, I'd suggest something like:
1. Writers can: Read/triage/make pull requests
2. Editors can: Read/triage/push to repos and branches
3. Maintainers: Do everything (including allocate and change roles of others)
I don't know as I've added anything more substantial to the conversation,
but I didn't want to see it dwindle, because it concerns a very important
governance matter!
Bryan
2:51 p.m.
Bringing this back to the top, what Ashley wrote here I think is spot on
-- she has as clear an understanding of our workflow as any other
contributor at this point, and has applied that quite well to how things
work in GitHub afaict.
My plan is to quickly implement along these lines, and start inviting in
folks as members so you can get things done more directly.
Any objections or twists, speak up now please! We'll also see how things
go and adjust from there as needed. It's content and code, not chisels
and stone.
Best,
- Karsten
On 5/26/20 2:15 AM, Ashley Nicolson wrote:
Hi everyone.
Just following with the repo permissions discussion originally started here:
https://github.com/theopensourceway/guidebook/issues/90
So my opinion is very much from an organisational governance so this may reflect my
proposal. I’m happy to adapt as the project’s governance hasn’t yet been finalised.
Currently new users (lets say users instead of members as this is a term used in GitHub)
invited to the opensourceway organisation default to being Member. These users will be
able to clone and pull all repos the organisation owns – currently that would be guidebook
and theopensourceway_old_website
“By default, members of an organization will have Read permissions to the
organization's repositories.”
This “green room” allows the owners to allocate higher level of permissions if and when
required. I think we should keep this default whilst teams are being decided and when more
teams are being added.
Just to note that there are both “base permissions” and “repository permissions” allowing
more refinement of access for members of the organisation (or external collaborators)
specific to a repo. The above suggested Read permission would be the base permission of
the organisation.
To apply repository permissions I would suggest we use teams with the appropriate
access.
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
From least access to most access, the permission levels for an organization repository
are:
• Read: Recommended for non-code contributors who want to view or discuss your
project
• Triage: Recommended for contributors who need to proactively manage issues and
pull requests without write access
• Write: Recommended for contributors who actively push to your project
• Maintain: Recommended for project managers who need to manage the repository
without access to sensitive or destructive actions
• Admin: Recommended for people who need full access to the project, including
sensitive and destructive actions like managing security or deleting a repository
Currently there is only really a need for the Triage where members can:
• Assign labels, issues, and PRs
• Apply milestones
• Request PR reviews
See more of a detail breakdown here:
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
However Triage can not physically push to the repo i.e. merge or force push to that repo
or branch directly. They can, like other users, create a Pull Request from a forked repo
and follow the review process.
This maybe considered too restrictive but I feel its acceptable that authors themselves,
who wrote the piece, are not permitted to push to the repo – it would imply that a review
hasn't taken place. Ideally it would be the review team that would say OK after some
back and forth and they themselves merge the author’s content in. This implies that that
there would be a team of editors.
Editors themselves would have the Write permission which of course grants more permission
including:
• Push to the contributor’s branch (easily)
• Lock conversations
• Submit reviews that affect a PR’s mergeability (this feature flags when PRs
shouldn’t be merged)
• Apply suggested changes to PRs
Of course members can be added to multiple teams with the more permissive level being
applied.
It really comes down to the teams and what roles they play in the repo and gradually
adding more teams if and when required. Currently I can envision the below teams based on
the current flow of the workflow process:
• Authors: members of the organisation that have been assigned as author or
co-author of a chapter. They are also able to assist with labeling issues to help other
authors on boarding.
• Editors: members of the organisation that can perform editorial reviews on
author’s contributions permitting successful contributions to be merged into the repo.
These teams are very simple and serve a very distinct role in the project, but we should
also consider the glue that keeps the repo going identifying that group of members.
Usually we would have the term “core” team that do a wide range of things outside the
scope of the current authors and editors. But at the moment I think there isn’t a current
need to identify that but something to consider when the project becomes more mature.
Another note that Outside collaborators (those not invited to the organisation) can be
invited to a repo’s team in case they wish not to be added to the opensourceway
organisation.
Lastly only owners can assign repositories to teams and therefore manage team access
(though I believe members of an organisation can create teams).
Here are steps to do this here:
https://help.github.com/en/github/setting-up-and-managing-organizations-a...
Any thoughts would be much appreciated!
_______________________________________________
Contrib mailing list -- contrib(a)theopensourceway.org
To unsubscribe send an email to contrib-leave(a)theopensourceway.org
--
Karsten Wade [he/him/his]| Senior Community Architect | @quaid
Red Hat Open Source Program Office (OSPO) : @redhatopen
https://community.redhat.com | https://next.redhat.com | https://osci.io
https://theopensourceway.org | https://github.com/theopensourceway/guide
2:50 p.m.
... and that month went fast.
I think this is now all setup correctly. I created three teams, I sent out a handful of
invites mostly to Authors, and populated the Editors and Maintainers teams.
To close out this thread, I'm nominating Ashley to join the Maintainers team.
This isn't to pile more work on you, it's that you have been rather helpful and a
very clear voice in setting up this project's GitHub presence; to be frank, I think
we've largely just adopted your suggestions. It seems to me there should be a shorter
path from you suggesting something to it actually happening, rather than it sitting for
another Maintainer to do. You should be able to do your own easyfixes to our setup, and be
able to volunteer for something larger like setting up teams and such, if you wish.
Otherwise, you are welcome to continue to give good advice from the armchair, and let
newbie admins like myself to figure out how to enable your magic spells. :)
I'll open an issue about this in 'theproject' to get other Maintainers'
+1s.
1626
days inactive
1670
days old
4 comments
4 participants
participants (4)
-
Ashley Nicolson -
Bryan Behrenshausen -
Bryan G. Behrenshausen
-
Karsten Wade