Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Codifying organization and repositories #1102

Open
haydentherapper opened this issue Jul 17, 2024 · 5 comments
Open

Codifying organization and repositories #1102

haydentherapper opened this issue Jul 17, 2024 · 5 comments

Comments

@haydentherapper
Copy link

At the recent community meeting, we discussed codifying the members of the SLSA organization and the settings for the repositories in the org. This provides transparency around who are org owners & who are maintainers on repositories, allows us to standardize repository security, and makes it easy to add new members or repositories. This removes the need for repository admins, as repository configuration should happen exclusively through configuration. You can also limit the org admins to only those who need to manage the Pulumi account.

With the Sigstore org, we use Pulumi, which provides a free tier for OSS projects. Our org is codified with yaml configs, mapping yaml to the Pulumi API with https://github.com/sigstore/github-sync. We manage teams, users, repositories and bot accounts through configuration. It's been a very smooth process - changes are instantly applied every merge. Only challenges are removing users (which just requires manually "unlocking" the user to allow for deletion) and importing existing repositories (which requires a manual process), but this can be documented for org admins.

@cpanato has kindly offered to help with the set up, thanks Carlos! Happy to answer any questions. Let me know if you would like us to proceed with setting this up.

@lehors
Copy link
Member

lehors commented Jul 18, 2024

I apologize if I'm showing a lack of understanding but I couldn't attend the latest SLSA call unfortunately and the meeting notes are quite limited, so bear with me.

I must admit to wonder what problem exactly this is meant to address and whether it is worth adding a dependency to yet another tool.

This project is pretty small and although there always are things that can be improved, adding infrastructure around it ought to be done in a controlled manner with a cost-benefit mindset. Indeed, adding more infrastructure isn't free, it adds yet another piece that needs to be maintained by a very small team with limited time.

@haydentherapper
Copy link
Author

@lehors, the motivations are transparency and security. There is no formal process for adding org members, and moving to configuration-as-code would allow the community to audit new member requests. The community can also audit who currently has access to repos, which is helpful if you need to know who is responsible for a PR or if you would like to propose removing an inactive member. As for security, you can codify repo settings (branch protection, merge rules, etc), which would allow you to standardize repo security across the org. This also makes security transparent as well for the community to audit and verify.

Even though the org is small, doing this work now rather than later if the number of repos and org members expands sets up good process. As for cost, the Pulumi OSS plan has no cost and no added infrastructure. If we did need to move off it, we could use Terraform directly, which would require storing tfstate somewhere - either in GCS (small cost + infra), or potentially in a private GitHub repo.

@lehors
Copy link
Member

lehors commented Jul 25, 2024

To clarify: I didn't mean financial cost, I'm talking about technical debt. It's one more piece to maintain.

@haydentherapper
Copy link
Author

I recognize that, though I think the added infrastructure reduces friction in other ways that make it beneficial. And if it is found to add too much friction, it would be trivial to undo, there's no lock-in.

@lehors
Copy link
Member

lehors commented Jul 30, 2024

ok, we can give it a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 🆕 New
Development

No branches or pull requests

2 participants