I think I could write a script that loops over all repos and activates branch restrictions to allow only our sync-bot to push.

Running this daily should avoid the case where a new repo is added and someone forgets to add the restriction.

In the future we can use the same bot for other maintenance tasks.

* in python, obviously.

On 28 Jun 2019, at 09:43, Thierry Carrez <thierry@openstack.org> wrote:

James E. Blair wrote:
Thierry Carrez <thierry@openstack.org> writes:
I'd do a limited number of personal accounts, all with 2FA.
One thing I would encourage folks to consider is that GitHub makes it
remarkably easy to do something "administrative" accidentally.  Any of
these accounts can easily accidentally push a commit, tag, etc., to the
mirrored repos.  It's not going to be destructive to the project in the
long term, since it's merely a mirror of the authoritative code in
Gerrit, but if we think it's important to protect the accounts with 2FA
to reduce the chance of a malicious actor pushing a commit to a
widely-used mirror, then we should similarly consider preventing an
accidental push from a good actor.  This is the principal reason that
the Infra team developed its secondary-or-shared account policy.
Especially if the folks who manage this are also folks who work on these
repos, we're one "git push" away from having egg on our collective face.
If the folks managing the GitHub presence are also developers, I would
encourage the use of a shared or secondary account.

That is a fair point that I had not considered.

That said, wouldn't the risk be relatively limited if the "admins" never checkout or clone from GitHub itself ?

-- 
Thierry Carrez (ttx)