I think I could write a script that loops over all repos and activates branch restrictions to allow only our sync-bot to push. Running this daily should avoid the case where a new repo is added and someone forgets to add the restriction. In the future we can use the same bot for other maintenance tasks. * in python, obviously.
On 28 Jun 2019, at 09:43, Thierry Carrez <thierry@openstack.org> wrote:
James E. Blair wrote:
I'd do a limited number of personal accounts, all with 2FA. One thing I would encourage folks to consider is that GitHub makes it remarkably easy to do something "administrative" accidentally. Any of
Thierry Carrez <thierry@openstack.org> writes: these accounts can easily accidentally push a commit, tag, etc., to the mirrored repos. It's not going to be destructive to the project in the long term, since it's merely a mirror of the authoritative code in Gerrit, but if we think it's important to protect the accounts with 2FA to reduce the chance of a malicious actor pushing a commit to a widely-used mirror, then we should similarly consider preventing an accidental push from a good actor. This is the principal reason that the Infra team developed its secondary-or-shared account policy. Especially if the folks who manage this are also folks who work on these repos, we're one "git push" away from having egg on our collective face. If the folks managing the GitHub presence are also developers, I would encourage the use of a shared or secondary account.
That is a fair point that I had not considered.
That said, wouldn't the risk be relatively limited if the "admins" never checkout or clone from GitHub itself ?
-- Thierry Carrez (ttx)