Pilot reduced write permissions for edX teams

[nedbat]

Axim would like to give teams permissions to the repos they need, rather than granting all edX engineers write access to all repos.

A pilot would find a team that could most easily accept reduced permissions, and try it out.

• Finalize the new team/group strategy for assigning write permissions
• Update the onboarding process so people get added to the right groups
• Review https://openedx.atlassian.net/wiki/spaces/AC/pages/3458170881/Working+with+Personal+Forks
• Check that devstack dev-reset-repos still works properly
• Choose people/repos to start with

[nedbat]

@jristau1984 will be talking to Sarina.

[nedbat]

The pilot is currently on hold until the summer. What should we be doing before then to make it a success?

[nedbat]

The current proposal: https://docs.google.com/document/d/1Ev0uelTvUozQBjq1BWob8Kki4QOg37z-ZWe2u_8ZxV0/edit

[nedbat]

We've already had reduced access to some repos due to SOX compliance. Do we need to do more for this?

[jristau1984]

What repos had their access reduced? it's probably worth at least enumerating them here before we close this out. Thanks, Jeremy Ristau Engineering Manager - edX/2U

…

On Tue, Jan 24, 2023 at 11:52 AM Ned Batchelder ***@***.***> wrote: We've already had reduced access to some repos due to SOX compliance. Do we need to do more for this? — Reply to this email directly, view it on GitHub <#20 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACZ5NHVSARB5Q64NB2HYQTTWUACGDANCNFSM5PEVIX5A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[sarina]

We've already had reduced access to some repos due to SOX compliance. Do we need to do more for this?

These are the payments repos, which afaik are not highly used anyway. I'd expect a pilot program to not only reduce access, but to do surveys and assess impact, and then also assess if the pilot needs to be expanded if not enough data are collected.

Oh, and determine next steps & make tickets, if applicable.

[nedbat]

So far we've seen no issues with the few repos we've done this with, so maybe we don't need a formal pilot?

[jristau1984]

FWIW the frontend-app-library-authoring and frontend-lib-content-components repos both have restricted access set up, and we have successfully fielded one 2U change request already with no issues (other than initial confusion, with a subsequent sharing of the new approach).

[nedbat]

Instead of a pilot, I guess this is now something like, work with Axim on which repo should be next for limited access.

[nedbat]

Also: #116

[e0d]

@nedbat is actively working on #116 currently.

This ticket represents the actual pilot roll out of the teams that will be defined.

[nedbat]

Here's a roll-up of the squads and their repos: teams.yml: https://gist.github.com/nedbat/1bb9866d38cd67405109f76cd4b695d3

This doesn't take some things into account:

• Some squads (BOM squads) need access to many repos they don't own.
• Some repos are broadly authored by many squads (edx-platform, edx-documentation, ...)
• Some squads need frequent access to repos they don't own, for example where the frontend and backend for a feature are owned by different squads.