Cleanup permissions for shipyard maintained repos

[aschmahmann]

Summary

This is a general cleanup of permissions across a number of repos that Shipyard maintains, also adds a shipyard team. The general forms of the changes look like:

• Remove individuals in exchange for teams
• Replace w3dt-stewards access with shipyard access (generally with shipyard having maintain rather than admin unless the repo already had lots of individually added admins, although even there we could probably reduce permissions more)
• Removed the github-mgmt stewards groups pull permissions since those don't seem necessary (pull generally seems not that useful in public repos, and there's nothing special for the github-mgmt stewards to need there that they won't have elsewhere via org permissions)
• Reduced some users' permissions who haven't made commits in a while (but happy to restore if they're interested)

Why do you need this?

Overall the number of admins in these repos seems much higher than necessary, especially given the ability to escalate via github-mgmt if needed. For repos shipyard maintains I'd like permissions scoped down where possible. This seems like the easiest cleanup although I wouldn't be surprised if we want to shrink permissions more and/or look at more repos than just the ones I've covered here.

What else do we need to know?

TODO: tag people with permission reductions once CI generates the list

DRI: myself

Reviewer's Checklist

• It is clear where the request is coming from (if unsure, ask)
• All the automated checks passed
• The YAML changes reflect the summary of the request
• The Terraform plan posted as a comment reflects the summary of the request

[github-actions]

The following access changes will be introduced as a result of applying the plan:

Access Changes

User 2color:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
User aarshkshah1992:
  - will have the permission to boxo change from maintain to push
User achingbrain:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to service-worker-gateway change from pull to admin
  - will have the permission to someguy change from admin to maintain
User adlrocha:
  - will have the permission to boxo change from maintain to push
User alanshaw:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User anorth:
  - will have the permission to boxo change from maintain to push
User arajasek:
  - will lose admin permission to boxo
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User aschmahmann:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-cli change from pull to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-http-gateway change from pull to maintain
  - will have the permission to helia-remote-pinning change from pull to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
User daviddias:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User dennis-tra:
  - will lose push permission to kubo
User dignifiedquire:
  - will have the permission to boxo change from maintain to push
User dirkmc:
  - will have the permission to boxo change from maintain to push
User frrist:
  - will have the permission to boxo change from maintain to push
User galargh:
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
User gammazero:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
  - will gain admin permission to service-worker-gateway
User gmasgras:
  - will have the permission to boxo change from maintain to push
User guillaumemichel:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
  - will gain admin permission to service-worker-gateway
User guseggert:
  - will have the permission to boxo change from maintain to push
User hacdias:
  - will have the permission to boxo change from maintain to push
User hannahhoward:
  - will have the permission to boxo change from maintain to push
User hsanjuan:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User iand:
  - will have the permission to boxo change from maintain to push
User ischasny:
  - will have the permission to boxo change from maintain to push
User jacobheun:
  - will have the permission to boxo change from maintain to push
User jbenet:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User jorropo:
  - will have the permission to boxo change from admin to push
  - will lose admin permission to helia
  - will lose admin permission to helia-delegated-routing-v1-http-api
  - will lose admin permission to helia-verified-fetch
  - will lose admin permission to ipfs-check
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User kubuxu:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User laurentsenta:
  - will lose admin permission to kubo
  - will lose admin permission to rainbow
User lidel:
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-cli change from push to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-http-gateway change from pull to maintain
  - will have the permission to helia-remote-pinning change from pull to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
User magik6k:
  - will have the permission to boxo change from maintain to push
User marcopolo:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to helia change from admin to maintain
  - will have the permission to helia-delegated-routing-v1-http-api change from admin to maintain
  - will have the permission to helia-verified-fetch change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
  - will gain maintain permission to helia-cli
  - will gain maintain permission to helia-http-gateway
  - will gain maintain permission to helia-remote-pinning
User marten-seemann:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User masih:
  - will have the permission to boxo change from maintain to push
User mishmosh:
  - will lose pull permission to boxo
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will lose pull permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose pull permission to someguy
User momack2:
  - will lose admin permission to boxo
  - will have the permission to kubo change from admin to pull
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User olizilla:
  - will lose admin permission to boxo
  - will have the permission to kubo change from admin to pull
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User petar:
  - will have the permission to boxo change from maintain to push
User raulk:
  - will have the permission to boxo change from maintain to push
User ribasushi:
  - will have the permission to boxo change from maintain to push
User rvagg:
  - will have the permission to boxo change from maintain to push
User sgtpooki:
  - will have the permission to boxo change from admin to maintain
  - will have the permission to kubo change from admin to maintain
  - will have the permission to rainbow change from admin to maintain
  - will have the permission to someguy change from admin to maintain
User stebalien:
  - will have the permission to boxo change from admin to push
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose admin permission to someguy
User travisperson:
  - will have the permission to boxo change from maintain to push
User vyzo:
  - will have the permission to boxo change from maintain to push
User warpfork:
  - will have the permission to boxo change from maintain to push
User whizzzkid:
  - will lose admin permission to helia
  - will lose admin permission to helia-cli
  - will lose admin permission to helia-delegated-routing-v1-http-api
  - will lose admin permission to helia-http-gateway
  - will lose admin permission to helia-remote-pinning
  - will lose admin permission to helia-verified-fetch
  - will lose pull permission to service-worker-gateway
User whyrusleeping:
  - will have the permission to boxo change from admin to push
  - will have the permission to kubo change from admin to push
  - will lose admin permission to rainbow
  - will lose admin permission to someguy
User willscott:
  - will have the permission to boxo change from maintain to push
  - will lose pull permission to helia
  - will lose pull permission to helia-cli
  - will lose pull permission to helia-delegated-routing-v1-http-api
  - will lose pull permission to helia-http-gateway
  - will lose pull permission to helia-remote-pinning
  - will lose pull permission to helia-verified-fetch
  - will lose pull permission to rainbow
  - will lose pull permission to service-worker-gateway
  - will lose pull permission to someguy

[github-actions]

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

ipfs

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # github_branch_protection.this["kubo:bifrost-*"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMjEwNDk3MDM="
      ~ push_restrictions               = [
          - "/aschmahmann",
          - "/gmasgras",
          - "/thattommyhall",
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_branch_protection.this["kubo:feat/stabilize-dht"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTUwNDUxNjk="
      ~ push_restrictions               = [
          - "/aschmahmann",
          - "/gmasgras",
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_branch_protection.this["kubo:master"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMjI5MDgxMA=="
      ~ push_restrictions               = [
          + "ipfs/kubo-maintainers",
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # github_branch_protection.this["kubo:release"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlNjU3MzY4"
      ~ push_restrictions               = [
          - "/Jorropo",
          - "/Stebalien",
          - "/aschmahmann",
          - "/hacdias",
          - "/whyrusleeping",
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # github_branch_protection.this["kubo:release-*"] will be updated in-place
  ~ resource "github_branch_protection" "this" {
        id                              = "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTU2NzQyNTc="
      ~ push_restrictions               = [
          - "/Stebalien",
          - "/aschmahmann",
          - "/hsanjuan",
          - "/whyrusleeping",
        ]
        # (10 unchanged attributes hidden)
    }

  # github_repository_collaborator.this["helia-cli:achingbrain"] will be destroyed
  # (because key ["helia-cli:achingbrain"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-cli:achingbrain" -> null
      - permission = "admin" -> null
      - repository = "helia-cli" -> null
      - username   = "achingbrain" -> null
    }

  # github_repository_collaborator.this["helia-delegated-routing-v1-http-api:achingbrain"] will be destroyed
  # (because key ["helia-delegated-routing-v1-http-api:achingbrain"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-delegated-routing-v1-http-api:achingbrain" -> null
      - permission = "admin" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - username   = "achingbrain" -> null
    }

  # github_repository_collaborator.this["helia-http-gateway:sgtpooki"] will be destroyed
  # (because key ["helia-http-gateway:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-http-gateway:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "helia-http-gateway" -> null
      - username   = "SgtPooki" -> null
    }

  # github_repository_collaborator.this["helia-http-gateway:whizzzkid"] will be destroyed
  # (because key ["helia-http-gateway:whizzzkid"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-http-gateway:whizzzkid" -> null
      - permission = "admin" -> null
      - repository = "helia-http-gateway" -> null
      - username   = "whizzzkid" -> null
    }

  # github_repository_collaborator.this["helia-remote-pinning:sgtpooki"] will be destroyed
  # (because key ["helia-remote-pinning:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "helia-remote-pinning:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "helia-remote-pinning" -> null
      - username   = "SgtPooki" -> null
    }

  # github_repository_collaborator.this["kubo:dennis-tra"] will be destroyed
  # (because key ["kubo:dennis-tra"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "kubo:dennis-tra" -> null
      - permission = "push" -> null
      - repository = "kubo" -> null
      - username   = "dennis-tra" -> null
    }

  # github_repository_collaborator.this["kubo:lidel"] will be destroyed
  # (because key ["kubo:lidel"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "kubo:lidel" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - username   = "lidel" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:2color"] will be destroyed
  # (because key ["service-worker-gateway:2color"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:2color" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "2color" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:aschmahmann"] will be destroyed
  # (because key ["service-worker-gateway:aschmahmann"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:aschmahmann" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "aschmahmann" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:lidel"] will be destroyed
  # (because key ["service-worker-gateway:lidel"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:lidel" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "lidel" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:marcopolo"] will be destroyed
  # (because key ["service-worker-gateway:marcopolo"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:MarcoPolo" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "MarcoPolo" -> null
    }

  # github_repository_collaborator.this["service-worker-gateway:sgtpooki"] will be destroyed
  # (because key ["service-worker-gateway:sgtpooki"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "service-worker-gateway:SgtPooki" -> null
      - permission = "admin" -> null
      - repository = "service-worker-gateway" -> null
      - username   = "SgtPooki" -> null
    }

  # github_team.this["shipyard"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Members of Interplanetary Shipyard who work with or on IPFS"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "shipyard"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["helia-dev:whizzzkid"] will be destroyed
  # (because key ["helia-dev:whizzzkid"] is not in for_each map)
  - resource "github_team_membership" "this" {
      - etag     = "W/\"514ee7e287d3fbdd9db2bdd6e910901c00128509a16b902e6b8a865071edf668\"" -> null
      - id       = "7676419:whizzzkid" -> null
      - role     = "member" -> null
      - team_id  = "7676419" -> null
      - username = "whizzzkid" -> null
    }

  # github_team_membership.this["kubo maintainers:jorropo"] will be destroyed
  # (because key ["kubo maintainers:jorropo"] is not in for_each map)
  - resource "github_team_membership" "this" {
      - etag     = "W/\"7a6fe0a037fb738e9e60b8b4d95c9370051249b77efd1cf8cf5f1816b2cef469\"" -> null
      - id       = "6744049:Jorropo" -> null
      - role     = "member" -> null
      - team_id  = "6744049" -> null
      - username = "Jorropo" -> null
    }

  # github_team_membership.this["shipyard:2color"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "2color"
    }

  # github_team_membership.this["shipyard:achingbrain"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "achingbrain"
    }

  # github_team_membership.this["shipyard:aschmahmann"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "aschmahmann"
    }

  # github_team_membership.this["shipyard:gammazero"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "gammazero"
    }

  # github_team_membership.this["shipyard:guillaumemichel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "guillaumemichel"
    }

  # github_team_membership.this["shipyard:lidel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "lidel"
    }

  # github_team_membership.this["shipyard:marcopolo"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "MarcoPolo"
    }

  # github_team_membership.this["shipyard:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_repository.this["admin:boxo"] will be destroyed
  # (because key ["admin:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"eab881d3a54b24924fde0a9c96032c40c8d5cc24022758538a6b86fb94d08780\"" -> null
      - id         = "1516991:boxo" -> null
      - permission = "admin" -> null
      - repository = "boxo" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:kubo"] will be destroyed
  # (because key ["admin:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "1516991:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:rainbow"] will be destroyed
  # (because key ["admin:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "1516991:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["admin:someguy"] will be destroyed
  # (because key ["admin:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9f2c6844cde3235fa865c116893ef5c32ee72f054defdb0060c1d00ef9b22fa1\"" -> null
      - id         = "1516991:someguy" -> null
      - permission = "admin" -> null
      - repository = "someguy" -> null
      - team_id    = "1516991" -> null
    }

  # github_team_repository.this["github-mgmt stewards:boxo"] will be destroyed
  # (because key ["github-mgmt stewards:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"0d41abb65286530eed1b1163c333c79063c2e541205e3db46a9ea8aa9c1223c7\"" -> null
      - id         = "6421993:boxo" -> null
      - permission = "pull" -> null
      - repository = "boxo" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia"] will be destroyed
  # (because key ["github-mgmt stewards:helia"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"52744c7c0a700b5b393cb2d8ee1bcfa0ae7476fc83c9e8afc2b639ae6e5bfa7c\"" -> null
      - id         = "6421993:helia" -> null
      - permission = "pull" -> null
      - repository = "helia" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-cli"] will be destroyed
  # (because key ["github-mgmt stewards:helia-cli"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"2b53781f1925d641aafa8e09685dea4cd2426249c5e784f2d8ff34c87d0cbaf7\"" -> null
      - id         = "6421993:helia-cli" -> null
      - permission = "pull" -> null
      - repository = "helia-cli" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-delegated-routing-v1-http-api"] will be destroyed
  # (because key ["github-mgmt stewards:helia-delegated-routing-v1-http-api"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"1141eb50efef2c76f90bf9b033f02352b9b98affc80238fbb04dfe6108d312f0\"" -> null
      - id         = "6421993:helia-delegated-routing-v1-http-api" -> null
      - permission = "pull" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-http-gateway"] will be destroyed
  # (because key ["github-mgmt stewards:helia-http-gateway"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"c215c6c292883ed30586fada6fa987b8ab1de585b5f5079f6d9ae1d00d3e3470\"" -> null
      - id         = "6421993:helia-http-gateway" -> null
      - permission = "pull" -> null
      - repository = "helia-http-gateway" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-remote-pinning"] will be destroyed
  # (because key ["github-mgmt stewards:helia-remote-pinning"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"a07a7af0f75ca7ff334381753764b7a54092c540b2b3b88d928ab6a2c85c9a8d\"" -> null
      - id         = "6421993:helia-remote-pinning" -> null
      - permission = "pull" -> null
      - repository = "helia-remote-pinning" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:helia-verified-fetch"] will be destroyed
  # (because key ["github-mgmt stewards:helia-verified-fetch"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"133afb64c1f151295ec79432ec6558ce9c0febd37453aa491ee58cfda829545c\"" -> null
      - id         = "6421993:helia-verified-fetch" -> null
      - permission = "pull" -> null
      - repository = "helia-verified-fetch" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:kubo"] will be destroyed
  # (because key ["github-mgmt stewards:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"ee856debdc791b6babe3b8bd55e7128afc8390e10a80719ff8d8488109d81603\"" -> null
      - id         = "6421993:kubo" -> null
      - permission = "pull" -> null
      - repository = "kubo" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:rainbow"] will be destroyed
  # (because key ["github-mgmt stewards:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"cbd4b7420de793c65a2b1b41959bbf4fd137677dcb8d25bc3b20305c50e8a329\"" -> null
      - id         = "6421993:rainbow" -> null
      - permission = "pull" -> null
      - repository = "rainbow" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:service-worker-gateway"] will be destroyed
  # (because key ["github-mgmt stewards:service-worker-gateway"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"035805476dda8e7b0978f2e1208a3089a0543983ea8b441105502771d8171e3e\"" -> null
      - id         = "6421993:service-worker-gateway" -> null
      - permission = "pull" -> null
      - repository = "service-worker-gateway" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["github-mgmt stewards:someguy"] will be destroyed
  # (because key ["github-mgmt stewards:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"648496a6eb4619e005b4d7c4fcf28f4ac26eb5923b77cdffbc0d1d129b50c5b8\"" -> null
      - id         = "6421993:someguy" -> null
      - permission = "pull" -> null
      - repository = "someguy" -> null
      - team_id    = "6421993" -> null
    }

  # github_team_repository.this["helia-dev:service-worker-gateway"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "7676419:service-worker-gateway"
      ~ permission = "pull" -> "admin"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["ipdx:kubo"] will be destroyed
  # (because key ["ipdx:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "6349983:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "6349983" -> null
    }

  # github_team_repository.this["ipdx:rainbow"] will be destroyed
  # (because key ["ipdx:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "6349983:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "6349983" -> null
    }

  # github_team_repository.this["maintainers:kubo"] will be destroyed
  # (because key ["maintainers:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"5cf6b39cd315e6447f336f2166e877c9f4762c4081159f75b5240153ec82677c\"" -> null
      - id         = "3729031:kubo" -> null
      - permission = "push" -> null
      - repository = "kubo" -> null
      - team_id    = "3729031" -> null
    }

  # github_team_repository.this["merge - go:boxo"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "3364102:boxo"
      ~ permission = "maintain" -> "push"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["repos - go:boxo"] will be updated in-place
  ~ resource "github_team_repository" "this" {
        id         = "3232508:boxo"
      ~ permission = "maintain" -> "push"
        # (3 unchanged attributes hidden)
    }

  # github_team_repository.this["shipyard:boxo"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "boxo"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-cli"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-cli"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-delegated-routing-v1-http-api"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-delegated-routing-v1-http-api"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-http-gateway"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-http-gateway"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-remote-pinning"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-remote-pinning"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:helia-verified-fetch"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "helia-verified-fetch"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:kubo"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "kubo"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:rainbow"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "rainbow"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:service-worker-gateway"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "admin"
      + repository = "service-worker-gateway"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["shipyard:someguy"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "maintain"
      + repository = "someguy"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["w3dt-stewards:boxo"] will be destroyed
  # (because key ["w3dt-stewards:boxo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"eab881d3a54b24924fde0a9c96032c40c8d5cc24022758538a6b86fb94d08780\"" -> null
      - id         = "4656983:boxo" -> null
      - permission = "admin" -> null
      - repository = "boxo" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia"] will be destroyed
  # (because key ["w3dt-stewards:helia"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9e60726a28766ad67e5e425e8d90b5c704c774d41310edd212e5546b00a9448f\"" -> null
      - id         = "4656983:helia" -> null
      - permission = "admin" -> null
      - repository = "helia" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia-delegated-routing-v1-http-api"] will be destroyed
  # (because key ["w3dt-stewards:helia-delegated-routing-v1-http-api"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"66fa3d8b28632cf4950357dfe2f756ac35a0b86a2a008bd42376794dafc11e8c\"" -> null
      - id         = "4656983:helia-delegated-routing-v1-http-api" -> null
      - permission = "admin" -> null
      - repository = "helia-delegated-routing-v1-http-api" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:helia-verified-fetch"] will be destroyed
  # (because key ["w3dt-stewards:helia-verified-fetch"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"94157302708f7068483e913b3b84058e56702c389f75765e89c24b6997410a24\"" -> null
      - id         = "4656983:helia-verified-fetch" -> null
      - permission = "admin" -> null
      - repository = "helia-verified-fetch" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:kubo"] will be destroyed
  # (because key ["w3dt-stewards:kubo"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"8dea37a2ebc1caa306c218ebdee8efbc5b2d8530fcc406bacb8108067d40ffb9\"" -> null
      - id         = "4656983:kubo" -> null
      - permission = "admin" -> null
      - repository = "kubo" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:rainbow"] will be destroyed
  # (because key ["w3dt-stewards:rainbow"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"060ae3014587caa06317b93b8b257c7393c87c39d84d670767993457e9b9738d\"" -> null
      - id         = "4656983:rainbow" -> null
      - permission = "admin" -> null
      - repository = "rainbow" -> null
      - team_id    = "4656983" -> null
    }

  # github_team_repository.this["w3dt-stewards:someguy"] will be destroyed
  # (because key ["w3dt-stewards:someguy"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"9f2c6844cde3235fa865c116893ef5c32ee72f054defdb0060c1d00ef9b22fa1\"" -> null
      - id         = "4656983:someguy" -> null
      - permission = "admin" -> null
      - repository = "someguy" -> null
      - team_id    = "4656983" -> null
    }

Plan: 20 to add, 8 to change, 39 to destroy.

[aschmahmann]

@achingbrain @SgtPooki I added Shipyard as maintainers for some repos where there were no ambient admin permissions for the "admin" or w3dt-stewards teams. It might be that these are unnecessary or should just be push permissions. Happy to downgrade if you think that makes more sense.

[SgtPooki]

this should be fine, and we haven't touched helia-cli in a while, and likely won't

[aschmahmann]

@ipfs/ipdx how can I set this to push restrictions on, but with no associated group? IIUC there's nothing you can do anyway to stop admins from pushing (or maintainers from pushing with approval) so adding groups here seems unnecessary provided you can keep the restrictions enabled.

[aschmahmann]

@dennis-tra I'm removing your permissions here and there will be a follow up PR to add you to the IPFS org and from there you can get added to any teams you need to be.

[dennis-tra]

Sounds good, thanks for the heads-up! 👍

[aschmahmann]

@ipfs/ipdx any idea why these pull permissions got added everywhere in fe64a02?

[galargh]

Yes! This is because github-mgmt stewards group is designated as moderator and security manager as per #189

So, unfortunately, they're going to come back, but you don't necessarily have to restore them yourself. The apply should go through anyway, and the config will be updated during the weekly sync.

[aschmahmann]

@lidel WDYT about giving push to repos Go for rainbow and someguy?

[lidel]

Probably ok, that group already has "maintain" in boxo, so push will make it easier for existing community to submit PRs.

ps. there is a separate long-term meta-worry in that there is way too many people in https://github.com/orgs/ipfs/teams/repos-go, and if our intention is to limit security risks / access, we should plan to subset that group.

[SgtPooki]

looks fine to me (only searched for my username and looked through removals or items where I was left). I really wish it was easier to see the specific repo the changes are for

[SgtPooki]

this should be fine, and we haven't touched helia-cli in a while, and likely won't

[galargh]

Great job!

[galargh]

Yes! This is because github-mgmt stewards group is designated as moderator and security manager as per #189

So, unfortunately, they're going to come back, but you don't necessarily have to restore them yourself. The apply should go through anyway, and the config will be updated during the weekly sync.

[SgtPooki]

@aschmahmann should we merge this on monday?