Create teams for committer management

[dougwilson]

This is a tracking issue around creating the teams for getting some of the members elevated to committer as talked about in the TC meeting #129

@wesleytodd volunteered, but Wes, feel free to let us know here if you would like someone else to help out :) !

[wesleytodd]

So I think we have a few things to do here:

1. Owners. There are currently some folks not active in the project or on the TC who are owners. We should probably make only the active TC members owners
2. Clean up existing teams. There are a few teams for collaborators/contributors. We should pick a name schema and stick to it then make them for all the repos
3. Clean up folks without 2fa enabled.
4. Make a plan for aligning this stuff with the new repo captains stuff

I can do this but I don't want to disrupt anything by taking away access to something. Are we concerned about that if I start changing these settings?

[wesleytodd]

Before I clean up the "owner" roles, if you are relying on this for anything and are not on the TC please reply here with how and why. If I do not hear back from you within 48 hours I am going to slim down the owners to just active TC members.

cc @joewagner @mikeal @ritch @tj @troygoode

[wesleytodd]

Ok, I just updated the owner roles to be just the currently active TC members. I moved everyone else to normal member role.

I am going to go through the existing teams next and get them sorted. I might have to ping folks in here if I have any questions about what the team was used for and how the changes I make might effect folks abilities to work on the given repos.

[wesleytodd]

Oh! I forgot to do the owner change in pillarjs and jshttp. I see now there are a bunch of other folks in those I need to ping.

pillarjs:

• @donpark
• @jasnell
• @jonathanong (and your bot @jongleberry-bot)
• @mikeal
• @ritch
• @sindresorhus

jshttp:

• @eivindfjeldstad
• @jasnell
• @jonathanong (and bot)
• @mikeal
• @Raynos
• @ritch
• @tj

[wesleytodd]

Ok, I am just going to go ahead and remove folks now. If anyone needs it back for a reason we are unaware of just ping me (if I dont see here you can dm me in the OpenJS slack and I will see it on my phone if it is an urgent matter of some sort).

[wesleytodd]

Owner is now correctly assigned across all three orgs with the exception of @crandmck who was not a member of the others. Obviously not everyone needs to do anything administrative with this role, but the important part is that we have it now in the governance on how this access is managed. If we think we want to change anything about that to add folks back in or remove folks while still being on the TC feel free to raise an issue to discuss.

[wesleytodd]

Also for anyone ping'd above, we are cleaning up the npm publish stuff as well. You might see an invite to the org where we will be managing access going forward, please accept that so you can be added to the right teams. The goal is not to remove anyone from access they need, but since this is all so old some things are unclear so if we make a mistake please jump in here and help us fix it.

[wesleytodd]

Hey folks, we are trying to setup the npm org for this and need folks to accept the invites which you should have gotten. If you do not respond within the next 48h you may loose access. If that happens and you still need it, please reach out and we can get things setup again.

Folks still needing to accept: @TooTallNate, @defunctzombie, @tj , @Fishrock123, @sheplu, @LinusU

[jonchurch]

@wesleytodd Just opened a PR with a first pass for capturing a plan for github access organization expressjs/express#5503

[TooTallNate]

You can probably remove me. Not sure what triggered me being invited here.

[defunctzombie]

I can also be removed.

[ljharb]

@TooTallNate @defunctzombie thanks for commenting; you still had publish access on a few packages :-)

[jonchurch]

This might live best in here, comment I left on a PR associated with updaing the Contributing.md around these topics:

from wesleytodd:
I think we need some more work on this. I left a few initial questions but also I think we need to define what the team names are and likely what specific permissions they have. This should both be a doc for folks to understand what it means but also for us on how explicitly to manage it so we are all on the same page on how to do it.

I left the team names out because naming is hard! I agree we should define names and specific perms

Github has built in roles that are close to what we want, but we should evaluate if we need deviations. I err on the side of running with the built in perms where possible and adjusting when necessary.

an aside...

re: evaluating deviations from the built in roles: e.g. Triagers can review/approve/reject PRs, but the reviews don't count towards merging, as approval by user w/ write permissions is required. It's a nit, but PRs that don't get merged despite being approved by N folks w/o write looks worse than a PR not merging bc it hasn't been approved at all. Taking away approval perms from Triagers is not a priority, but it is an example of a perm we could deviate on and a weak justification. Honestly, this is likely moot bc you can't create custom roles without having Github Enterprise

Here is a summary of the groups I outlined in the PR and what permissions I am suggesting:

• @expressjs/express-tc (already exists) -- owners role on the org as defined in github org permission docs
• expressjs/project-captain -- no role assigned to the team beyond base org member role. Dunno if this team would be useful or not as permissions for maintaining a given repo will not be assigned at team level, but individually applied to user accounts. It would give an @expressjs/project-captain mention ability, but I don't think see the need for pinging like 3-4 people who are captains, but not all commiters. Won't block on this.
  • Users will be individually assigned admin repo role as defined in github repo permission docs, per repo they are given project captain status for
• @expressjs/committers -- no role assigned to the team beyond base org member role (Im assuming that committers have write on a subset of repos and not all in the org, if it's all repos in the org then team based permissions would be appropriate). This one I actually do see as having everyone w/ a commit bit, including TC, Project Captains, and Committers w/ ad hoc write access. So you can just ping everyone with write.
  • Users will be individually assigned write repo role as defined in github repo permission docs, per repo they are given committer status for
• @expressjs/triagers (already exists) -- triager role on each repo as defined in github repo permission docs

Glossary for Above

• team -- Github team, a named group of people which can be used to manage permissions/access for people in an organization, sending notifications via @ mention, or requesting review from the team on PRs
• role -- Github role, a set of built in permissions bundled under a specific name which can be assigned to a user or a team. There are different roles at the Org level and the Repo level
• "individually applied permission" -- manually adding/removing a role or specific permissions for a given collaborator's user account