Default GitHub team members to member role, not maintainer#80
Merged
Conversation
Replace all Secrets Manager usage with SSM Parameter Store SecureString
to eliminate per-secret monthly costs ($0.40/secret/month).
- service-secret module: aws_secretsmanager_secret → aws_ssm_parameter
at /{project}/apps/{service}/{name}
- service-rds module: remove manage_master_user_password, use
random_password + SSM parameter at /{project}/apps/{name}/db-master-password
- ECS execution role: secretsmanager:GetSecretValue → ssm:GetParameters
scoped to parameter/{project}/apps/*
- Identity Center: secretsmanager:Describe/List → ssm:DescribeParameters/GetParametersByPath
- registry.py: update output_map and exports for new resource types
- All docs updated to reflect SSM-only secret storage
Team members now get role from their YAML entry (default: "member"). Only members with role: maintainer can manage the team on GitHub (add/remove repos and members). Previously all members were maintainers.
Terraform Plan🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy. Plan outputLLM ReviewRisk: 🟢 LOW Routine Lambda function code update for team_provisioner with source code hash change.
|
4 tasks
Alexanderamiri
added a commit
that referenced
this pull request
Mar 17, 2026
## Summary
Root cause fix for the CODEOWNER self-merge regression.
The provisioner was calling `PUT /teams/{slug}/memberships/{user}` on
every run for every member, even when the role was already correct. This
re-added members via the API, changing their membership state from
"org-owner implicit" to "explicit API-added", which caused GitHub to
block self-merge on CODEOWNER-required PRs.
Now fetches current member roles first and only calls PUT when a role
change is actually needed.
## What happened
1. PR #80 changed provisioner to default `role: member`
2. Registry #16 merged → provisioner ran for first time with new code
3. Provisioner called `PUT memberships/alexanderamiri {"role":
"maintainer"}` — role was already maintainer, but the API call changed
the membership source
4. GitHub stopped allowing self-merge on CODEOWNER PRs
## Also reverted
Removed the org-admin bypass actor from the ruleset (was a band-aid, not
the fix).
## Test plan
- [ ] Merge this PR (should be self-mergeable — provisioner hasn't run
again)
- [ ] Trigger provisioner via registry merge
- [ ] Verify team membership unchanged (check GitHub API)
- [ ] Create a test PR → verify self-merge still works
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
## Summary
- Team members now get `role` from their YAML entry (default: `member`)
- Only members with `role: maintainer` can manage the team on GitHub
(add/remove repos and members)
- Previously all members were added as maintainers, which allowed anyone
to add repos to their team (granting those repos CI access to the team's
AWS role)
```yaml
members:
- google: alice.smith
github: alicesmith
role: maintainer # can manage team
- google: bob.jones
github: bobjones # defaults to "member"
```
Companion: javaBin/registry docs/member-role-field
## Test plan
- [ ] Existing teams: next provisioner run will downgrade all members to
`member` unless they have `role: maintainer` in YAML
- [ ] Verify maintainers can still add repos
- [ ] Verify members cannot add repos
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
## Summary
Root cause fix for the CODEOWNER self-merge regression.
The provisioner was calling `PUT /teams/{slug}/memberships/{user}` on
every run for every member, even when the role was already correct. This
re-added members via the API, changing their membership state from
"org-owner implicit" to "explicit API-added", which caused GitHub to
block self-merge on CODEOWNER-required PRs.
Now fetches current member roles first and only calls PUT when a role
change is actually needed.
## What happened
1. PR #80 changed provisioner to default `role: member`
2. Registry #16 merged → provisioner ran for first time with new code
3. Provisioner called `PUT memberships/alexanderamiri {"role":
"maintainer"}` — role was already maintainer, but the API call changed
the membership source
4. GitHub stopped allowing self-merge on CODEOWNER PRs
## Also reverted
Removed the org-admin bypass actor from the ruleset (was a band-aid, not
the fix).
## Test plan
- [ ] Merge this PR (should be self-mergeable — provisioner hasn't run
again)
- [ ] Trigger provisioner via registry merge
- [ ] Verify team membership unchanged (check GitHub API)
- [ ] Create a test PR → verify self-merge still works
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rolefrom their YAML entry (default:member)role: maintainercan manage the team on GitHub (add/remove repos and members)Companion: javaBin/registry docs/member-role-field
Test plan
memberunless they haverole: maintainerin YAML