Skip to content

allow team leaders to edit their teams#1758

Draft
marcoieni wants to merge 4 commits intomainfrom
codeowners-leads-teams
Draft

allow team leaders to edit their teams#1758
marcoieni wants to merge 4 commits intomainfrom
codeowners-leads-teams

Conversation

@marcoieni
Copy link
Member

@marcoieni marcoieni commented Apr 1, 2025
edited
Loading

We want to give team leaders permission to approve PRs in this repository, so that they can unblock their teams.

The question is: how much permission can we give them? If you look at the CODEOWNERS file, you can see that anyone with write access can approve PRs in the /people /repos and /teams directories.
But what if an attacker compromises a team-lead's account? They could then approve their own PRs
to remove branch protection rules, kick out team members, or archive all rust-lang repositories.

To prevent this, we want to limit the permissions of team-leads to only the directories they own,
i.e. their /teams and the /repos owned by their teams.

With this PR, I start by giving team-leads write access to their own /teams directory.

Con of this approach: team-repo-admins and mods will be notified about every change in the people, teams and repos directory.

  • If this is approved, merge the leads = "write" before this PR, so that team leads have write access

marcoieni
marcoieni commented Apr 1, 2025
View reviewed changes
.github/CODEOWNERS Outdated
people/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
repos/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
# Useful for teams without leaders.
teams/**/*.toml @rust-lang/team-repo-admins @rust-lang/mods @Mark-Simulacrum @pietroalbini @jdno @marcoieni
Copy link
Member Author

@marcoieni marcoieni Apr 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately with this approach we need to add specific owners in these generic directories, otherwise the team-leads will have the same permissions of team-repo-admins and mods, i.e. they could approve PRs on all these toml files

@github-actions
Copy link

github-actions bot commented Apr 1, 2025
edited
Loading

Dry-run check results 

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/team':
      Permission Changes:
        Giving team 'leads' write permission

@marcoieni marcoieni mentioned this pull request Apr 2, 2025
Open
@jieyouxu jieyouxu added the S-blocked Status: blocked label Aug 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mark-Simulacrum Mark-Simulacrum Awaiting requested review from Mark-Simulacrum Mark-Simulacrum will be requested when the pull request is marked ready for review Mark-Simulacrum is a code owner

@emilyalbini emilyalbini Awaiting requested review from emilyalbini emilyalbini will be requested when the pull request is marked ready for review emilyalbini is a code owner

@jdno jdno Awaiting requested review from jdno jdno will be requested when the pull request is marked ready for review jdno is a code owner

@ubiratansoares ubiratansoares Awaiting requested review from ubiratansoares ubiratansoares will be requested when the pull request is marked ready for review ubiratansoares is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

S-blocked Status: blocked

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcoieni @jieyouxu