Governance: update maintainer Admin exception rule

[Luap99]

Instead of granting people outright admin access we should limit the scope. Github offers us a org wide "CI/CD Admin" rule that can be used to manage all the import CI configs. In particular I assigned that role to Ashley as she requires that access to manage the macos worker pool.

Using the roles to limit access is better for security as we do not have to give out Admin or org wide Owner access then.

Does this PR introduce a user-facing change?

None

[Luap99]

@mheon @baude @mtrmac @nalind @giuseppe WDYT?

cc @timcoding1988 @ashley-cui

[giuseppe]

good idea,

LGTM

[mtrmac]

+1

[ashley-cui]

Note that this only gives access to org-wide CI configs. I don't have access to maintain repos that I'm not a maintainer of, ie buildah, skopeo. It might be a good idea to create a CI/CD repo role to give to those who need it.

[Luap99]

Note that this only gives access to org-wide CI configs. I don't have access to maintain repos that I'm not a maintainer of, ie buildah, skopeo. It might be a good idea to create a CI/CD repo role to give to those who need it.

Ah I thought the org thing trumps repo rules but I guess not, I guess we need to create custom per repo rule then with "CI/CD Admin" access and then can assign users to that as well.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[mheon]

Does this really give secrets access? Huh.

[Luap99]

Does this really give secrets access? Huh.

So wait reading the github docs the ability to edit secrets should already be there with the write access
https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization

So this role is really only about for org wide secrets/runner management. I don't think this role per repo would make sense.

Looking into the role settings there seem to be difference between actions secrets which you get with write access

Manage repository Actions secrets
Manage repository Actions variables

and

Manage repository environments, environment secrets and variables

which the extra CI/CD role adds, totally not confusing...

I know @ashley-cui needs the org wide role for the org wide runner management but for the per repo actions secrets we use it does not seem to be needed

[Luap99]

Ok this seems to be related to the environment feature
https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments

Seems like something worth investigating to further harden release workflows

[Luap99]

updated the wording to mention both org and repo level rules, hopefully this is not to confusing