On Fri, Jun 28, 2019 at 07:49:10AM -0700, James E. Blair wrote:
Thierry Carrez <thierry@openstack.org> writes:
James E. Blair wrote:
Especially if the folks who manage this are also folks who work on these repos, we're one "git push" away from having egg on our collective face.
If the folks managing the GitHub presence are also developers, I would encourage the use of a shared or secondary account.
That is a fair point that I had not considered.
That said, wouldn't the risk be relatively limited if the "admins" never checkout or clone from GitHub itself ?
Yes, the biggest risk is if one of the admins is a regular user of GitHub. If they don't have their own GitHub-forks of the OpenStack repos, and they only ever clone their local copies from OpenDev (or, they are not developers at all), then I think the risk of accidents on a personal account is fairly low.
-Jim
There are some tools out there that have been created to help mitigate these kinds of things. One I recently came across is described here: https://www.jeff.wilcox.name/2015/11/azure-on-github/ I'm not advocating for trying to adapt that tool, but I think it shows that something can be stood up relatively easily that would provide a separation of control to prevent accidental admin access modifications while still making it easy to see and manage a large number of repos. Seems fairly easy enough to even just create a githubadmin@openstack.org account and control access via that. Sean