Define per-repository configuration settings

[tellison]

Adoptium currently has 47 repositories for various tasks. This issue is to define the expected settings for these repositories to ensure they are secure, allow people to be productive, and are consistent to avoid surprises.

Repository settings include such items as:

• branch protection
• access control lists (alignment with Eclipse requirements), and removing temporary admin access rights
• required number of PR approvers
• constraints on forced push
• etc

First step is to define the expected settings for each type (infra, dev code, release repo, website/api, etc) of repository we handle. Second step is to bring the 47 repositories in line with these settings - which may require temporary admin access.

[sxa]

Of the current set of reqpositories, we have the following categories:

Repository sets	Repos	Current mandatory reviewers
Source mirror repos	12	n/a - No PRs (Alpine JDK8?)
Binary repos	6	n/a - No PRs
Temurin	11	4 with zero, 2 with one, 2 with two
aqavit	7	4 with zero, 1 with one?, 2 with two?
adoptium	7	All zero, question over blog and dash
mission control	1	TBC
incubator	2	TBC

Spreadsheet (restricted access) currently at https://docs.google.com/spreadsheets/d/10PfKCBpnvx6RUQMhZfzK4EpBUMP5rPBnlUJ3SwidVLM/edit#gid=0

[tellison]

@sxa Thanks for gathering the info. Please can you set up a call with interested folks to discuss and action this now?

[sxa]

Action items from today's call (Attendees: @sxa @tellison @gdams @smlambert @andrew-m-leonard @karianna)

• @gdams to look at implications of implementing PR approvals on repositories which use bots/auto-mergess
• @sxa to look at defining a template that can be used for all new repositories generated for the project
• Project leads tor Incubators and Mission Control will be consulted regarding the options they wish to have on their repositories
• DONE: ENABLED Follow-up on 2FA for the org, after ensuring the bots are safe.
• Request for changes to the repository settings will be deferred until the July release is considered safe.

NOTE: The website-v2 repository is not controlled via the normal eclipse processes and is independent of the other repositories.

[sxa]

Summary of desired respository settings:

Project	Repository	Required reviewers
Adoptium	All	1
n/a	website-v2	1
aqavit	TKG, aqa-tests	2
aqavit	All others	1
temurin	jdkXX, temurinXX-binaries, marketplace-data, build-jdk	1
temurin	temurin-build, ci-jenkins-pipelines, github-release-sciprts, jenkins-helper, mirror-scripts, installer, containers, infrastructure	2
mission control	-	TBC
incubator	-	TBC

In terms of other settings, this is what we agreed we wanted across all adoptium, aqavit and temurin projects

Setting	Yes/No
DIsmiss review state on new pushes	No
Require review from code owners	No
Require status checks to pass	ECA requirement
Require rebase first	No
Require conversation resolution	No
Require linear history (No merges)	Yes
Allow force pushes	No (Engage eclipse if required for security)
Automatically delete head branches	Yes?
Allow merge commits	No
Allow squash merging	Yes
Default to PR title for squash commits	No
Allow rebase merging	Yes
Always suggest updating PR branches	Yes
Allow auto-merge	Yes

[jiekang]

@sxa will website-v2 be made "part of" EF like the other repositories?

[sxa]

@sxa will website-v2 be made "part of" EF like the other repositories?

There are currently no plans to change it so for now it will remain unique.

[sxa]

Request for change to reviewer numbers: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1900

[sxa]

Noting that the configuration settings are now controlled using Otterdog with the configuration in https://github.com/adoptium/.eclipsefdn/blob/main/otterdog/adoptium.jsonnet