Replace ListTeamMembers with ListTeamMembersBySlug

config/jobs/image-pushing/k8s-staging-kind.yaml

@@ -23,8 +23,9 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers
     - name: post-kind-push-base-image
       cluster: k8s-infra-prow-build-trusted
       run_if_changed: '(^images/base)|(^images/Makefile)|(^.go-version)'
@@ -50,8 +51,9 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers
     - name: post-kind-push-kindnetd-image
       cluster: k8s-infra-prow-build-trusted
       run_if_changed: '(^images/kindnetd)|(^images/Makefile)|(^.go-version)'
@@ -77,8 +79,9 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers
     - name: post-kind-push-haproxy-image
       cluster: k8s-infra-prow-build-trusted
       run_if_changed: '(^images/haproxy)|(^images/Makefile)'
@@ -104,8 +107,9 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers
     - name: post-kind-push-local-path-provisioner-image
       cluster: k8s-infra-prow-build-trusted
       run_if_changed: '(^images/local-path-provisioner)|(^images/Makefile)|(^.go-version)'
@@ -131,8 +135,9 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers
     - name: post-kind-push-local-path-helper-image
       cluster: k8s-infra-prow-build-trusted
       run_if_changed: '(^images/local-path-helper)|(^images/Makefile)'
@@ -158,5 +163,6 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 2921947 # kind-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kind-maintainers

config/jobs/image-pushing/k8s-staging-kubetest2.yaml

@@ -23,5 +23,6 @@ postsubmits:
               - name: LOG_TO_STDOUT
                 value: "y"
       rerun_auth_config:
-        github_team_ids:
-          - 3925239 # https://github.com/orgs/kubernetes-sigs/teams/kubetest2-maintainers
+        github_team_slugs:
+          - org: kubernetes-sigs
+            slug: kubetest2-maintainers

config/prow/cluster/prowjob-crd/prowjob_customresourcedefinition.yaml

@@ -21504,17 +21504,6 @@ spec:
                     items:
                       type: string
                     type: array
-                  github_team_ids:
-                    description: 'GitHubTeams contains IDs of GitHub teams of users
-                      who can rerun the job If you know the name of a team and the
-                      org it belongs to, you can look up its ID using this command,
-                      where the team slug is the hyphenated name: curl -H "Authorization:
-                      token <token>" "https://api.github.com/orgs/<org-name>/teams/<team
-                      slug>" or, to list all teams in a given org, use curl -H "Authorization:
-                      token <token>" "https://api.github.com/orgs/<org-name>/teams"'
-                    items:
-                      type: integer
-                    type: array
                   github_team_slugs:
                     description: GitHubTeamSlugs contains slugs and orgs of teams
                       of users who can rerun the job

config/prow/config.yaml

@@ -172,9 +172,11 @@ deck:
   google_analytics: UA-82843984-5
   rerun_auth_configs:
     '*':
-      github_team_ids:
-      - 2009231 # test-infra-admins
-      - 2460384 # milestone-maintainers
+      github_team_slugs:
+      - org: kubernetes
+        slug: test-infra-admins
+      - org: kubernetes
+        slug: milestone-maintainers
   # additional_allowed_buckets is used only when skip_storage_path_validation is
   # false
   skip_storage_path_validation: false

config/prow/plugins.yaml

@@ -585,22 +585,22 @@ repo_milestone:
 project_config:
   project_org_configs:
     kubernetes:
-      org_maintainers_team_id: 3162587 # sig-testing-dummy-project-team
+      org_maintainers_team_slug: sig-testing-dummy-project-team
       org_default_column_map:
         test-infra-dummy-testing-project-plugin:
           To do
         KEP Implementation Tracking:
           To do
       project_repo_configs:
         kubernetes:
-          repo_maintainers_team_id: 2460384 # milestone-maintainers
+          repo_maintainers_team_slug: milestone-maintainers
           repo_default_column_map:
             component-base:
               To do
             Workloads:
               Backlog
         website:
-          repo_maintainers_team_id: 3175912 # website-milestone-maintainers
+          repo_maintainers_team_slug: website-milestone-maintainers
           repo_default_column_map:
             component-base:
               To do

prow/apis/prowjobs/v1/types.go

@@ -270,13 +270,6 @@ type GitHubTeamSlug struct {
 type RerunAuthConfig struct {
 	// If AllowAnyone is set to true, any user can rerun the job
 	AllowAnyone bool `json:"allow_anyone,omitempty"`
-	// GitHubTeams contains IDs of GitHub teams of users who can rerun the job
-	// If you know the name of a team and the org it belongs to,
-	// you can look up its ID using this command, where the team slug is the hyphenated name:
-	// curl -H "Authorization: token <token>" "https://api.github.com/orgs/<org-name>/teams/<team slug>"
-	// or, to list all teams in a given org, use
-	// curl -H "Authorization: token <token>" "https://api.github.com/orgs/<org-name>/teams"
-	GitHubTeamIDs []int `json:"github_team_ids,omitempty"`
 	// GitHubTeamSlugs contains slugs and orgs of teams of users who can rerun the job
 	GitHubTeamSlugs []GitHubTeamSlug `json:"github_team_slugs,omitempty"`
 	// GitHubUsers contains names of individual users who can rerun the job
@@ -312,15 +305,6 @@ func (rac *RerunAuthConfig) IsAuthorized(org, user string, cli prowgithub.RerunC
 			return true, nil
 		}
 	}
-	for _, ght := range rac.GitHubTeamIDs {
-		member, err := cli.TeamHasMember(org, ght, user)
-		if err != nil {
-			return false, fmt.Errorf("GitHub failed to fetch members of team %v, verify that you have the correct team number and access token: %w", ght, err)
-		}
-		if member {
-			return true, nil
-		}
-	}
 	for _, ghts := range rac.GitHubTeamSlugs {
 		member, err := cli.TeamBySlugHasMember(ghts.Org, ghts.Slug, user)
 		if err != nil {
@@ -339,7 +323,7 @@ func (rac *RerunAuthConfig) Validate() error {
 		return nil
 	}
 
-	hasAllowList := len(rac.GitHubUsers) > 0 || len(rac.GitHubTeamIDs) > 0 || len(rac.GitHubTeamSlugs) > 0 || len(rac.GitHubOrgs) > 0
+	hasAllowList := len(rac.GitHubUsers) > 0 || len(rac.GitHubTeamSlugs) > 0 || len(rac.GitHubOrgs) > 0
 
 	// If an allowlist is specified, the user probably does not intend for anyone to be able to rerun any job.
 	if rac.AllowAnyone && hasAllowList {

prow/cmd/deck/abort_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	prowapi "k8s.io/test-infra/prow/apis/prowjobs/v1"
 	"k8s.io/test-infra/prow/client/clientset/versioned/fake"
 	"k8s.io/test-infra/prow/github/fakegithub"
@@ -46,6 +47,7 @@ func TestAbort(t *testing.T) {
 		jobState    prowapi.ProwJobState
 		httpCode    int
 		httpMethod  string
+		teams       map[string]map[string]fakegithub.TeamWithMembers
 	}{
 		{
 			name:        "Abort on triggered state",
@@ -118,6 +120,7 @@ func TestAbort(t *testing.T) {
 			jobState:    prowapi.PendingState,
 			httpCode:    http.StatusOK,
 			httpMethod:  http.MethodPost,
+			teams:       map[string]map[string]fakegithub.TeamWithMembers{"kubernetes": {"leads": {Members: sets.NewString("sig-lead")}}},
 		},
 	}
 
@@ -142,9 +145,13 @@ func TestAbort(t *testing.T) {
 						},
 					},
 					RerunAuthConfig: &prowapi.RerunAuthConfig{
-						AllowAnyone:   false,
-						GitHubUsers:   []string{"authorized", "alsoauthorized"},
-						GitHubTeamIDs: []int{42},
+						AllowAnyone: false,
+						GitHubUsers: []string{"authorized", "alsoauthorized"},
+						GitHubTeamSlugs: []prowapi.GitHubTeamSlug{
+							prowapi.GitHubTeamSlug{
+								Org:  "kubernetes",
+								Slug: "leads",
+							}},
 					},
 				},
 				Status: prowapi.ProwJobStatus{
@@ -184,6 +191,7 @@ func TestAbort(t *testing.T) {
 			ghc := &fakeAuthenticatedUserIdentifier{login: tc.login}
 			rc := fakegithub.NewFakeClient()
 			rc.OrgMembers = map[string][]string{"org": {"org-member"}}
+			rc.Teams = tc.teams
 			pca := plugins.NewFakeConfigAgent()
 			handler := handleAbort(fakeProwJobClient.ProwV1().ProwJobs("prowjobs"), authCfgGetter, goa, ghc, rc, &pca, logrus.WithField("handler", "/abort"))
 			handler.ServeHTTP(rr, req)

prow/cmd/deck/rerun_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	prowapi "k8s.io/test-infra/prow/apis/prowjobs/v1"
 	"k8s.io/test-infra/prow/client/clientset/versioned/fake"
 	"k8s.io/test-infra/prow/config"
@@ -51,9 +52,14 @@ func getPresubmitConfig() *config.Config {
 					"foo": "foo",
 				},
 				RerunAuthConfig: &prowapi.RerunAuthConfig{
-					AllowAnyone:   false,
-					GitHubUsers:   []string{"authorized", "alsoauthorized"},
-					GitHubTeamIDs: []int{42},
+					AllowAnyone: false,
+					GitHubUsers: []string{"authorized", "alsoauthorized"},
+					GitHubTeamSlugs: []prowapi.GitHubTeamSlug{
+						prowapi.GitHubTeamSlug{
+							Org:  "kubernetes",
+							Slug: "leads",
+						},
+					},
 				},
 			},
 			Brancher: config.Brancher{
@@ -82,9 +88,14 @@ func getPeriodicConfig() *config.Config {
 						"foo": "foo",
 					},
 					RerunAuthConfig: &prowapi.RerunAuthConfig{
-						AllowAnyone:   false,
-						GitHubUsers:   []string{"authorized", "alsoauthorized"},
-						GitHubTeamIDs: []int{42},
+						AllowAnyone: false,
+						GitHubUsers: []string{"authorized", "alsoauthorized"},
+						GitHubTeamSlugs: []prowapi.GitHubTeamSlug{
+							prowapi.GitHubTeamSlug{
+								Org:  "kubernetes",
+								Slug: "leads",
+							},
+						},
 					},
 				},
 			}},
@@ -104,6 +115,7 @@ func TestRerun(t *testing.T) {
 		shouldCreateProwJob bool
 		httpCode            int
 		httpMethod          string
+		teams               map[string]map[string]fakegithub.TeamWithMembers
 	}{
 		{
 			name:                "Handler returns ProwJob",
@@ -174,6 +186,7 @@ func TestRerun(t *testing.T) {
 			shouldCreateProwJob: true,
 			httpCode:            http.StatusOK,
 			httpMethod:          http.MethodPost,
+			teams:               map[string]map[string]fakegithub.TeamWithMembers{"kubernetes": {"leads": {Members: sets.NewString("sig-lead")}}},
 		},
 		{
 			name:                "Org member permitted for presubmits",
@@ -208,9 +221,14 @@ func TestRerun(t *testing.T) {
 						},
 					},
 					RerunAuthConfig: &prowapi.RerunAuthConfig{
-						AllowAnyone:   false,
-						GitHubUsers:   []string{"authorized", "alsoauthorized"},
-						GitHubTeamIDs: []int{42},
+						AllowAnyone: false,
+						GitHubUsers: []string{"authorized", "alsoauthorized"},
+						GitHubTeamSlugs: []prowapi.GitHubTeamSlug{
+							prowapi.GitHubTeamSlug{
+								Org:  "kubernetes",
+								Slug: "leads",
+							},
+						},
 					},
 				},
 				Status: prowapi.ProwJobStatus{
@@ -250,6 +268,7 @@ func TestRerun(t *testing.T) {
 			ghc := &fakeAuthenticatedUserIdentifier{login: tc.login}
 			rc := fakegithub.NewFakeClient()
 			rc.OrgMembers = map[string][]string{"org": {"org-member"}}
+			rc.Teams = tc.teams
 			pca := plugins.NewFakeConfigAgent()
 			cfg := func() *config.Config { return &config.Config{} }
 			handler := handleRerun(cfg, fakeProwJobClient.ProwV1().ProwJobs("prowjobs"), tc.rerunCreatesJob, authCfgGetter, goa, ghc, rc, &pca, logrus.WithField("handler", "/rerun"))
@@ -304,6 +323,7 @@ func TestLatestRerun(t *testing.T) {
 		reported            bool
 		httpCode            int
 		httpMethod          string
+		teams               map[string]map[string]fakegithub.TeamWithMembers
 	}{
 		{
 			name:                "Handler returns Presubmit ProwJob",
@@ -407,6 +427,7 @@ func TestLatestRerun(t *testing.T) {
 			reported:            false,
 			httpCode:            http.StatusOK,
 			httpMethod:          http.MethodPost,
+			teams:               map[string]map[string]fakegithub.TeamWithMembers{"kubernetes": {"leads": {Members: sets.NewString("sig-lead")}}},
 		},
 		{
 			name:                "Org member permitted for presubmits",
@@ -508,6 +529,7 @@ func TestLatestRerun(t *testing.T) {
 			ghc := &fakeAuthenticatedUserIdentifier{login: tc.login}
 			rc := fakegithub.NewFakeClient()
 			rc.OrgMembers = map[string][]string{"org": {"org-member"}}
+			rc.Teams = tc.teams
 			pca := plugins.NewFakeConfigAgent()
 			cfg := func() *config.Config {
 				return tc.config
@@ -569,9 +591,14 @@ func TestLatestRerun(t *testing.T) {
 						},
 						Report: tc.reported,
 						RerunAuthConfig: &prowapi.RerunAuthConfig{
-							AllowAnyone:   false,
-							GitHubUsers:   tc.authorized,
-							GitHubTeamIDs: []int{42},
+							AllowAnyone: false,
+							GitHubUsers: tc.authorized,
+							GitHubTeamSlugs: []prowapi.GitHubTeamSlug{
+								prowapi.GitHubTeamSlug{
+									Org:  "kubernetes",
+									Slug: "leads",
+								},
+							},
 						},
 					},
 					Status: prowapi.ProwJobStatus{

prow/cmd/peribolos/main_test.go

@@ -1762,7 +1762,7 @@ func TestDumpOrgConfig(t *testing.T) {
 			},
 		},
 		{
-			name: "fails if ListTeamMembersFails",
+			name: "fails if ListTeamMembers fails",
 			err:  true,
 			teams: []github.Team{
 				{

prow/config/prow-config-documented.yaml

@@ -289,14 +289,6 @@ deck:
             # GitHubOrgs contains names of GitHub organizations whose members can rerun the job
             github_orgs:
                 - ""
-            # GitHubTeams contains IDs of GitHub teams of users who can rerun the job
-            # If you know the name of a team and the org it belongs to,
-            # you can look up its ID using this command, where the team slug is the hyphenated name:
-            # curl -H "Authorization: token <token>" "https://api.github.com/orgs/<org-name>/teams/<team slug>"
-            # or, to list all teams in a given org, use
-            # curl -H "Authorization: token <token>" "https://api.github.com/orgs/<org-name>/teams"
-            github_team_ids:
-                - 0
             # GitHubTeamSlugs contains slugs and orgs of teams of users who can rerun the job
             github_team_slugs:
                 - org: ' '
@@ -329,8 +321,6 @@ deck:
             allow_anyone: true
             github_orgs:
                 - ""
-            github_team_ids:
-                - 0
             github_team_slugs:
                 - org: ' '
                   slug: ' '