|
| 1 | +# Permissions across the Project |
| 2 | + |
| 3 | +This document describes what access permissions are granted to individuals in |
| 4 | +different [roles in the project](https://www.astropy.org/team.html#roles). |
| 5 | + |
| 6 | +Occasional *temporary* write (or higher) permissions may be granted for specific |
| 7 | +tasks (for example, a maintainer may be given admin rights to a repo to |
| 8 | +configure CI for the first time or similar). Such permissions must be done |
| 9 | +temporarily unless prescribed otherwise by this document. |
| 10 | + |
| 11 | +For GitHub, the |
| 12 | +[permissions](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/repository-roles-for-an-organization) |
| 13 | +are enforced by adding individuals to the GitHub team |
| 14 | +matching their role (for example, "Astropy Core Maintainers" or "Astropy |
| 15 | +website maintainers" for a core maintainer or the astropy.org team, respectively), |
| 16 | +a duty primarily performed at the moment by the Coordination Committee. |
| 17 | +Temporary permissions should instead use the "collaborator" feature on Github to |
| 18 | +make it clear that these permissions are temporary in nature. |
| 19 | + |
| 20 | +Additionally, the granter of permissions (usually the Coordination Committee) |
| 21 | +should send a message to the new recipient of write permissions listing the |
| 22 | +responsibilities and expectations that go with this - a template for this email |
| 23 | +is available [in this repo](../messages/maintainer_access.md). That message may |
| 24 | +contain a prompt for a response, which should be cc-ed/forwarded to |
| 25 | +`coordinators[at]astropy.org`. |
| 26 | + |
| 27 | +## Access levels |
| 28 | + |
| 29 | +### Core package maintainers |
| 30 | + |
| 31 | +All maintainers listed for the core package receive *write access* to the |
| 32 | +repository via the **Astropy Core Maintainers** GitHub team. |
| 33 | + |
| 34 | +### Coordinated package maintainers |
| 35 | + |
| 36 | +Coordinated package maintainers receive **admin access** to the coordinated |
| 37 | +package repositories via the **<package name> maintainers** GitHub team (e.g., |
| 38 | +'astroquery maintainers'). |
| 39 | + |
| 40 | +Lower priviledge access (e.g., write, triage) could be assigned to additional |
| 41 | +contributors as separate teams (e.g., 'Astroquery Triage'). |
| 42 | + |
| 43 | +### Core package release coordinators |
| 44 | + |
| 45 | +Core package release coordinators receive **admin access** to the core |
| 46 | +repository, as well as the extension-helpers repository |
| 47 | +since releases of those packages may be tightly coupled, as |
| 48 | +well as **write access** to the website repository. This is done via the **Core |
| 49 | +release maintainers** GitHub team. |
| 50 | + |
| 51 | +### Coordination committee |
| 52 | + |
| 53 | +The Coordination Committee members receive **owner access** to |
| 54 | +the astropy GitHub organization. Members who are not familiar or |
| 55 | +comfortable with GitHub administration may opt out. However, |
| 56 | +a majority of the committee should have access. If necessary, |
| 57 | +members should receive GitHub administration training before given access. |
| 58 | + |
| 59 | +In addition, they have access to the project |
| 60 | +credentials (or the shared password manager to access the credentials). |
| 61 | +As with GitHub access above, members may opt out but the majority and training |
| 62 | +rules also apply here. |
| 63 | + |
| 64 | +In general, the use of owner access requires permission of the rest of the Coordination |
| 65 | +Committee. Furthermore, regardless of access level, the members are always bound by |
| 66 | +[APE 0](https://github.com/astropy/astropy-APEs/blob/main/APE0.rst). |
| 67 | +For example, the Coordination Committee, let alone just one of its members, cannot |
| 68 | +delete or transfer a repository without first obtaining consensus from the community. |
| 69 | + |
| 70 | +## Other ways to gain access |
| 71 | + |
| 72 | +Besides the process laid out a the beginning of this document, |
| 73 | +which might not cover all cases, other ways include: |
| 74 | + |
| 75 | +### Automated access |
| 76 | + |
| 77 | +We have an automated workflow to |
| 78 | +[invite organization members based on merged PRs](https://github.com/astropy/astropy-tools/actions/workflows/update_org_members.yml). |
| 79 | +However, we are open to suggestions on how to improve it |
| 80 | +over at [astropy-tools GitHub Issue 178](https://github.com/astropy/astropy-tools/issues/178). |
| 81 | + |
| 82 | +### Manual request |
| 83 | + |
| 84 | +If for some reason there was an oversight in the process or a special |
| 85 | +situation that is not covered, people could request access |
| 86 | +(for themselves or others) using the |
| 87 | +[Astropy Github Organisation Administration](https://github.com/astropy/astropy-project/issues/new?assignees=&labels=github-admin&projects=&template=github-admin.yaml) |
| 88 | +issue template. Please clearly state the reason for the request. |
| 89 | +Once the issue is opened, one of the Coordination Committee members |
| 90 | +would handle it as appropriate. |
| 91 | + |
| 92 | +## Removing access |
| 93 | + |
| 94 | +As people switch roles or leave the project completely, GitHub access |
| 95 | +would be adjusted accordingly. For example, if a maintainer is no |
| 96 | +longer active and is not responsive to developer surveys, |
| 97 | +the Coordination Committee has the right to remove this person |
| 98 | +from a named role and thus the associated GitHub permission(s). |
| 99 | +This also applies to Coordination Commitee members that rotated off. |
| 100 | + |
| 101 | +Anyone that abuses their given priviledge will also have it removed. |
| 102 | +Please report any abuse to the Coordination Committee or the Ombudsperson, |
| 103 | +as you see fit. |
0 commit comments