concourse / governance Goto Github PK

Describe the bug

The daily terraform action disables discussion of concourse/concourse. We need to find out where and make sure it to not do that anymore.

Reproduction steps

1. enabled concourse/concourse discussion
2. wait for the terraform action runs
3. verify the discussion is disabled
   ...

Expected behavior

concourse/concourse discussion is not disabled

Additional context

refer to concourse/concourse#8715

No response

• run terraform apply
• run go test to verify the integrity of the state in GitHub

Will need to securely configure a GitHub token with effectively org admin permissions.

Though there is an obvious temptation to use Concourse for this, it's probably worth considering GitHub Actions just to keep the scope of this narrow.

Admin permissions are needed for configuring a repo's deploy keys. The governance model only grants maintain permissions, and this is a pretty common need for maintainers, so we'll need a way to do this through Terraform.

We can use the github_repository_deploy_key resource and add a deploy_keys section to the repo config listing public keys to authorize. The importer should also be updated to import these, and all existing deploy keys should be configured in the repo. This would also be a good method of auditing repo access; deploy keys should only be set up through this repo.

Because we ship Concourse directly to VMware customers, we have to set up some internal infrastructure to make sure what we ship comes from something VMware controls.

This can be done by setting up an internal mirror that we sync to every time we ship Concourse. We can then develop internal pipelines to build from this repo instead.

• Set up a repo in the internal VMware GitLab
• Configure a pipeline that pushes every tagged release from master on the Concourse repo to master in the mirror
• Figure out how to do the same for every release branch (can we just use the Mirroring feature in GitLab?)
  • commercial release docs in boarding pass now mention this
• Figure out how to ship to VMware customers (might be no change, but maybe we also need to mirror more things, or build from these sources, or ...)
  • related: concourse/concourse#6606
• Remove comment from maintainers.yml

It currently says to send reports to [email protected], which isn't great.

• add email: field to community team members (optional)
• set up an email address which forwards emails to Community team members
  • https://registry.terraform.io/providers/wgebis/mailgun/latest/docs/resources/route
• add a test so that a member of a team with a mailing list must have an email?
• update CODE_OF_CONDUCT.md with new email
  • concourse/concourse#7048

• teams map to roles in Discord
• all contributors are granted 'contributors' role

The aequasi/discord provider seems the best one (it has docs).

This will likely involve creating a Discord Application, Bot, and Team which should probably have the @concourse/infrastructure team as members (admins).

We have a Mailgun account now. wat do?

• Set up a mailing list for security team to publish notices and release info to

https://documentation.mailgun.com/en/latest/user_manual.html#mailing-lists

The Δ:

I think we can trust contributors to use these powers for good. 🙂 It'll also be nice for making the concourse/validate-labels check pass, since you can add the required labels to your own PR.

Not sure how to automate this yet!

Currently security issue reports are sent to [email protected], an address accessed exclusively by VMware team members. This email address is also used for various VMware-controlled accounts, so it's a bit of a mess. We should make this more neutral, and probably get a more trustworthy-looking address.

• set up a security team with more limited membership
• add email: field to contributors (optional)
• set up a [email protected] email which forwards emails to team members
  • https://registry.terraform.io/providers/wgebis/mailgun/latest/docs/resources/route
• add a test so that a member of a team with a mailing list must have an email?
• update SECURITY.md + docs website with new email
  • concourse/concourse#7048
  • concourse/docs#428
• document how we publish notices
  • set up downstream mailing list too, maybe in addition to github advisories? #48

• Update Project page
  • concourse/docs#422
• Update CONTRIBUTING.md
  • concourse/concourse#6972
• Update PR template
  • concourse/concourse#6972

Things to mention:

• Guidance for why/how to join as a contributor
  • to be able to re-run PR flakes
  • to be able to label your own PR (#35)
  • to be able to help with triaging issues (#35)
• Guidance for how/when to apply to join each team
  • team-specific criteria?
  • deciding against this; i don't think we necessarily need to encourage everyone to join a team, it's probably better for each team to determine its own criteria and process

Thoughts on adding a new team that can triage things under the resource-type and reusable task repositories?:

https://github.com/concourse/governance/blob/master/teams/maintainers.yml#L51-L76

Looks like there may have been initial thought that it could be beneficial given the above file comments. I'd like to help with triaging on resources/tasks but right now it's only maintainers.

• https://github.com/concourse/flight-attendant
  • can we just retire this in favor of official pagerduty integration?
    • nope; the 'daily on call announcing' feature hasn't GA'd yet
  • clean up pagerduty setup
    • move 'Concourse Customer Facing' into Concourse team, rename to 'Concourse External'
    • rename 'Concourse Hush House' to 'Concourse Internal'
    • remove 'Concourse Wings' service
    • remove 'Concourse Datadog' service
    • move Scott's escalation from Internal to External
  • fix up email/slack handle detection (old API usage)
  • reinstall app for scope change to take effect
• https://github.com/concourse/boarding-pass
  • push to gitlab project
  • painstakingly migrate all the issues
  • move the pipeline to Runway
  • bring back the lost commits
    • 14643ffc update release checklist (thanks taylor!)
    • 45c87fec update boarding pass URL (⚰️, but probably easily restored)
    • 196aa75d Merge pull request #15 from concourse/update-deploy-hh (⚰️)
• https://github.com/concourse/platform-automation-deployments
  • move pipeline from ci.concourse-ci.org to runway

There's already a test suite; just need to run it in Actions. The suite tests not only that the desired state matches the actual state, but that insidious things like outside/individual collaborators haven't been configured on any repos. The suite doesn't run yet because there's some cleanup to be done before it will pass.