Add documentation for GitHub organization and teams layout #27
Description
During the updates to governance, one area we identified to improve was describing the layout of the GitHub organization and how to implement the various roles in the SLSA community. Below is my proposal, which I'd like to add to a dedicated doc in this repo. We opted to not include this in the governance doc to give us the flexibility to revise
- GitHub team defined for the Steering Committee, e.g. slsa-sc-members. This team is given "admin" permissions over the organization and all of its repositories
- Each Workstream defines a team for Maintainers, e.g slsa-build-track-spec-maintainers, slsa-build-tooling-maintainers. Each team is given a "maintain" permission for the repository.
- For a repository with multiple Workstreams, a CODEOWNERS file should include a line for each folder or file mapped to a Workstream team. The repository settings should require CODEOWNERS approval before merge.
- A Workstream may define a GitHub team for code reviewers, e.g. slsa-build-tooling-reviewers. This team must contain only Contributors who have demonstrated knowledge of the codebase. This team is given "write" permission for a repository. The motivation with this role is an intermediate step up to eventual maintainership.
- The Steering Committee will create branch protection rules per repository for the "main" branch to prevent direct pushes. Additionally, the rules must mandate that only teams with "maintain" permissions can merge changes with "push restrictions" and "dismiss restrictions". This means that those with "write" can only review and approve changes, but those with "maintain" can merge as well.
- For all teams except the Steering Committee team, members added to the team should be a "member", not an "owner". "owners" can change who is in a team. Only the Steering Committee should be able to assign team memberships.
- Team memberships should be updated as Maintainers and Steering Committee member resign or are added.
- All team membership updates should be transparently recorded on GitHub issues. Long-term, automation like Pulumi may be used.
- The organization should only contain memberships for Contributors, Maintainers and Steering Committee members, and only if those members are in GitHub teams.