Reduce go-libp2p and js-libp2p admins

[aschmahmann]

Summary

• Introduces a team for members of Interplanetary Shipyard working on or with libp2p (mostly a subset of the existing w3dt-stewards group)
• Reduces the number of admins on go-libp2p
• Reduces the number of admins on js-libp2p

Why do you need this?

The number of admin's on both of these repositories is simply too high. As described in earlier github-mgmt permissions reduction permissions are not meant as tokens of credibility, but of utility. Even the number of Admin's here may be too high, but I don't feel like I've overcut given github-mgmt is here to enable escalation.

I don't feel like I've overcut here and I've run this by @achingbrain and @MarcoPolo who are practically speaking the operating admin's of these repos (i.e. if you've used admin permissions and they don't know about it it's a problem). However, if I've overcut it seems fine to merge and re-add relevant permissions later.

What else do we need to know?

DRI: myself

Reviewer's Checklist

• It is clear where the request is coming from (if unsure, ask)
• All the automated checks passed
• The YAML changes reflect the summary of the request
• The Terraform plan posted as a comment reflects the summary of the request

[github-actions]

The following access changes will be introduced as a result of applying the plan:

Access Changes

User 2color:
  - will have the permission to go-libp2p change from admin to maintain
  - will have the permission to js-libp2p change from admin to maintain
User achingbrain:
  - will have the permission to go-libp2p change from admin to maintain
User dhuseby:
  - will have the permission to go-libp2p change from admin to pull
  - will have the permission to js-libp2p change from admin to pull
User galargh:
  - will lose admin permission to go-libp2p
  - will lose admin permission to js-libp2p
User guillaumemichel:
  - will have the permission to go-libp2p change from admin to maintain
  - will have the permission to js-libp2p change from admin to maintain
User jbenet:
  - will lose admin permission to go-libp2p
  - will lose admin permission to js-libp2p
User jorropo:
  - will lose admin permission to go-libp2p
  - will lose admin permission to js-libp2p
User kubuxu:
  - will have the permission to go-libp2p change from admin to push
  - will lose admin permission to js-libp2p
User laurentsenta:
  - will lose admin permission to go-libp2p
  - will lose admin permission to js-libp2p
User lidel:
  - will have the permission to go-libp2p change from admin to maintain
  - will have the permission to js-libp2p change from admin to maintain
User mxinden:
  - will lose admin permission to go-libp2p
  - will lose admin permission to js-libp2p
User p-shahi:
  - will have the permission to go-libp2p change from admin to pull
  - will have the permission to js-libp2p change from admin to pull
User raulk:
  - will have the permission to go-libp2p change from admin to push
  - will have the permission to js-libp2p change from admin to pull
User stebalien:
  - will have the permission to go-libp2p change from admin to push
  - will have the permission to js-libp2p change from admin to pull
User sukunrt:
  - will have the permission to js-libp2p change from admin to maintain
User yiannisbot:
  - will have the permission to go-libp2p change from admin to maintain
  - will have the permission to js-libp2p change from admin to maintain

[github-actions]

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

libp2p

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  - destroy

Terraform will perform the following actions:

  # github_repository_collaborator.this["go-libp2p:aschmahmann"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "go-libp2p"
      + username                    = "aschmahmann"
    }

  # github_repository_collaborator.this["go-libp2p:marcopolo"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "go-libp2p"
      + username                    = "MarcoPolo"
    }

  # github_repository_collaborator.this["go-libp2p:sukunrt"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "go-libp2p"
      + username                    = "sukunrt"
    }

  # github_repository_collaborator.this["js-libp2p:achingbrain"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "js-libp2p"
      + username                    = "achingbrain"
    }

  # github_repository_collaborator.this["js-libp2p:aschmahmann"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "js-libp2p"
      + username                    = "aschmahmann"
    }

  # github_repository_collaborator.this["js-libp2p:marcopolo"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "js-libp2p"
      + username                    = "MarcoPolo"
    }

  # github_team.this["shipyard"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Members of Interplanetary Shipyard who work with or on libp2p"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "shipyard"
      + node_id                   = (known after apply)
      + privacy                   = "closed"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["shipyard:2color"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "2color"
    }

  # github_team_membership.this["shipyard:achingbrain"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "achingbrain"
    }

  # github_team_membership.this["shipyard:aschmahmann"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "aschmahmann"
    }

  # github_team_membership.this["shipyard:guillaumemichel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "guillaumemichel"
    }

  # github_team_membership.this["shipyard:lidel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "lidel"
    }

  # github_team_membership.this["shipyard:marcopolo"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "MarcoPolo"
    }

  # github_team_membership.this["shipyard:sukunrt"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "sukunrt"
    }

  # github_team_membership.this["shipyard:yiannisbot"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "yiannisbot"
    }

  # github_team_repository.this["admin:go-libp2p"] will be destroyed
  # (because key ["admin:go-libp2p"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"5cc0afb8c84d890d2ec579fc5b1327c244440dc85cdf33ede9a794acfb564513\"" -> null
      - id         = "2077192:go-libp2p" -> null
      - permission = "admin" -> null
      - repository = "go-libp2p" -> null
      - team_id    = "2077192" -> null
    }

  # github_team_repository.this["admin:js-libp2p"] will be destroyed
  # (because key ["admin:js-libp2p"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"c17e1967d74d9c28c1367a2d3e5d16153c5af6d4084bd3fd8feeb45294b4144a\"" -> null
      - id         = "2077192:js-libp2p" -> null
      - permission = "admin" -> null
      - repository = "js-libp2p" -> null
      - team_id    = "2077192" -> null
    }

  # github_team_repository.this["shipyard:go-libp2p"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "go-libp2p"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:js-libp2p"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "js-libp2p"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["w3dt-stewards:go-libp2p"] will be destroyed
  # (because key ["w3dt-stewards:go-libp2p"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"5cc0afb8c84d890d2ec579fc5b1327c244440dc85cdf33ede9a794acfb564513\"" -> null
      - id         = "4657013:go-libp2p" -> null
      - permission = "admin" -> null
      - repository = "go-libp2p" -> null
      - team_id    = "4657013" -> null
    }

  # github_team_repository.this["w3dt-stewards:js-libp2p"] will be destroyed
  # (because key ["w3dt-stewards:js-libp2p"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"c17e1967d74d9c28c1367a2d3e5d16153c5af6d4084bd3fd8feeb45294b4144a\"" -> null
      - id         = "4657013:js-libp2p" -> null
      - permission = "admin" -> null
      - repository = "js-libp2p" -> null
      - team_id    = "4657013" -> null
    }

Plan: 17 to add, 0 to change, 4 to destroy.

[aschmahmann]

Adding as a separate comment so people get notified. The following people will have their permissions reduced. If this is a problem (before or after the merge) open a request to modify the permissions.

Below I'm explicitly calling out anyone whose permissions have dropped from admin to lower than maintain on a repo and added some explicit comments for people who I suspect might care about the permissions reduction

• @dhuseby:
  • will have the permission to go-libp2p change from admin to pull
  • will have the permission to js-libp2p change from admin to pull
  • Do you need push access to any of these repos? If so the Repos Go and js-libp2p-dev groups seem appropriate
• @galargh:
  • will lose admin permission to go-libp2p
  • will lose admin permission to js-libp2p
  • What level of access do you need to these repos? Although you are an org-admin so probably not directly impacted.
• @jbenet:
  • will lose admin permission to go-libp2p
  • will lose admin permission to js-libp2p
  • There haven't been any commits here in ages so I suspect this isn't a problem (we're reducing risk surface here)
• @Jorropo:
  • will lose admin permission to go-libp2p
  • will lose admin permission to js-libp2p
  • I suspect you might want Repos Go permissions, if so just ping or send a PR
• @Kubuxu:
  • will have the permission to go-libp2p change from admin to push
  • will lose admin permission to js-libp2p
• @laurentsenta:
  • will lose admin permission to go-libp2p
  • will lose admin permission to js-libp2p
  • What level of access do you need to these repos?
• @mxinden:
  • will lose admin permission to go-libp2p
  • will lose admin permission to js-libp2p
• @p-shahi:
  • will have the permission to go-libp2p change from admin to pull
  • will have the permission to js-libp2p change from admin to pull
  • What level of access do you need here? If you just need push access the Repos Go and js-libp2p-dev groups seem appropriate
• @raulk:
  • will have the permission to go-libp2p change from admin to push
  • will have the permission to js-libp2p change from admin to pull
• @Stebalien:
  • will have the permission to js-libp2p change from admin to pull

[aschmahmann]

@Stebalien do you think it would still be helpful to continue to have admin here? At the moment I have you on since of the existing admin's that are not from Shipyard you're the only one whose been involved in the code at all.

If not can switch to maintain or leave you with push via Repos - Go.

[Stebalien]

The only non-push thing I do is:

1. Cleanup branches (should be allowed in Repos - Go).
2. Delete spam and ban spammers.

Did we ever find a way to allow everyone to do the latter? If so, Repos - Go seems reasonable.

[aschmahmann]

Delete spam

IIUC it looks like spam comments is doable with just write permissions to the repo https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-disruptive-comments

ban spammers

This can be done with an org-wide moderator role which you already have by virtue of being in the github-mgmt stewards group

github-mgmt/github/libp2p.yml

Line 5077 in 989aed4

# 2. This team also has the org-level "moderator" and "security manager" role.

As a result, I will downgrade to Repos Go