Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow team leaders to edit their teams #1758

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

allow team leaders to edit their teams #1758

wants to merge 4 commits into from

Conversation

marcoieni
Copy link
Member

@marcoieni marcoieni commented Apr 1, 2025
edited
Loading

We want to give team leaders permission to approve PRs in this repository, so that they can unblock their teams.

The question is: how much permission can we give them? If you look at the CODEOWNERS file, you can see that anyone with write access can approve PRs in the /people /repos and /teams directories.
But what if an attacker compromises a team-lead's account? They could then approve their own PRs
to remove branch protection rules, kick out team members, or archive all rust-lang repositories.

To prevent this, we want to limit the permissions of team-leads to only the directories they own,
i.e. their /teams and the /repos owned by their teams.

With this PR, I start by giving team-leads write access to their own /teams directory.

Con of this approach: team-repo-admins and mods will be notified about every change in the people, teams and repos directory.

  • If this is approved, merge the leads = "write" before this PR, so that team leads have write access

marcoieni
marcoieni commented Apr 1, 2025
View reviewed changes
.github/CODEOWNERS Outdated
people/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
repos/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
# Useful for teams without leaders.
teams/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately with this approach we need to add specific owners in these generic directories, otherwise the team-leads will have the same permissions of team-repo-admins and mods, i.e. they could approve PRs on all these toml files

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 1, 2025
edited
Loading

Dry-run check results 

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/team':
      Permission Changes:
        Giving team 'leads' write permission

@marcoieni marcoieni mentioned this pull request Apr 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mark-Simulacrum Mark-Simulacrum Awaiting requested review from Mark-Simulacrum Mark-Simulacrum will be requested when the pull request is marked ready for review Mark-Simulacrum is a code owner

@pietroalbini pietroalbini Awaiting requested review from pietroalbini pietroalbini will be requested when the pull request is marked ready for review pietroalbini is a code owner

@jdno jdno Awaiting requested review from jdno jdno will be requested when the pull request is marked ready for review jdno is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marcoieni