Manage jenkinsci GitHub permissions as code

Goal: Automating the management of GitHub permissions for the jenkinsci organization

Status: Selected

Team

Details

Abstract

To manage Artifactory permissions, distinguish between Jira and GitHub issues, and activate automatic releases, the jenkinsci organization uses a tool called the repository permission updater (RPU).

Despite the name containing "repository permission", the RPU can’t update or manage repository permission at all. Currently, all team modifications are done manually by the hosting team.

The RPU is a critical component in the jenkinsci infrastructure and is used daily to onboard new plugins and update release permission.

Rationale

The project aims to build on top of the existing RPU logic and manage GitHub teams and individual users (for legacy reasons, we strive to use teams only), defined as a list in the pre-existing YAML file, which every repository within the jenkinsci GitHub organization has.

Every YAML file within the RPU is expected to have a team defined with a list of users, where the RPU updates the team membership to match the list of users defined in the YAML file for the corresponding repository in the jenkinsci organization.

Initially, we need to copy all teams and users added to every repository of the jenkinsci GitHub organization and add them to the permission files in the RPU.

Hosting new plugins adds an entry automatically to the new YAML file.

Implementation

The project will be implemented in Java and Groovy, using the GitHub API to manage teams and users. The project will be built using Maven and integrated into the existing RPU project. The project will be tested using unit tests and integration tests, and it will be thoroughly documented to ensure that future contributors can easily understand the codebase.

Office hours

  • (General) Official weekly Jenkins office hours: Thursdays 13:00 UTC

  • (Project-based) Weekly project based office hours after Bonding Period: Wednesdays 13:00 UTC

Links