REQUEST: Repository maintenance on Collector repositories

[evan-bradley]

Affected Repository

At a minimum, I have verified these two repositories need modifications:
https://github.com/open-telemetry/opentelemetry-collector-contrib
https://github.com/open-telemetry/opentelemetry-collector-releases

I have confirmed that non-Collector repositories may be impacted by this as well.

Requested changes

Please add the OpenTelemetry organization member group as collaborators to these repositories with "read" permissions.

I believe the group was previously included as a collaborator but that this access was removed somehow, as the behavior I expect has changed recently.

Purpose

I am currently unable to assign issues to non-participants or request reviews from OpenTelemetry organization members. We also depend on automations that leverage GitHub's APIs to perform these actions.

Expected Duration

Permanently.

Repository Maintainers

@open-telemetry/collector-contrib-maintainer

[trask]

hi @evan-bradley! I don't believe there's a team that includes all OpenTelemetry org members. I think other repos are using a @open-telemetry/*-triagers group for this purpose, e.g. @open-telemetry/java-contrib-triagers . Would something like that work for your needs? thx

[evan-bradley]

Thanks for the quick reply @trask. The Collector repos have triager teams to allow members of those teams to edit assignees/reviewers in the repos, but the issue we're seeing is that OTel org members are no longer considered to be eligible to be assigned issues or have reviews requested of them.

Here's the error message our "request review from code owners on a PR" GitHub Action receives after requesting a review from someone who is an OTel org member but is not assigned to a team in the Collector contrib repo:

Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the open-telemetry/opentelemetry-collector-contrib repository.

This appears to have started happening sometime in October.

I suspect that setting a "base role" for repositories in the OpenTelemetry organization may be the solution here: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization

This would affect all OTel repos, but I know that non-Collector repos are also seeing this issue and would like this functionality.

[trask]

This appears to have started happening sometime in October.

interesting... #1715 (comment)

cc @open-telemetry/technical-committee

[tigrannajaryan]

This appears to have started happening sometime in October.

interesting... #1715 (comment)

cc @open-telemetry/technical-committee

We may be forced to keep it this way to keep security reports confidential.

[TylerHelmuth]

Chiming in to say this is really annoying. I want to assign some open-telemetry org members to a PR but cant.

Do other CNCF organizations have this problem/restriction?

[trask]

Chiming in to say this is really annoying. I want to assign some open-telemetry org members to a PR but cant.

looks like @open-telemetry/technical-committee is going to discuss options this week (#1715 (comment))

[TylerHelmuth]

Did this end up getting discussed? Not being able to assign OpenTelemetry Org members to Collector Contrib PRs breaks our automation and if we don't have a resolution in sight we'll need to update our automation to go back to pinging code owners.

[trask]

@open-telemetry/technical-committee @cartersocha can we revert #1715 for now until we figure out path forward?

[bogdandrutu]

Is this caused by?

[cartersocha]

We're good to revert the default / base permissions to "read" but I think someone from the TC will need to create the separate org and repo for storing the incident data then give me access to port over the Grafana tracking

[jack-berg]

Did this end up getting discussed?

Yes, but there wasn't a resolution. See this related blurb in the maintainers meeting notes:

Default Github privileges problem: the way Security reporting is handled, created technical difficulties (e.g., for assigning CODEOWNERs), We discussed a couple of high-level solutions, and concluded that a little more research should be done. Likely our best solution is to create a separate Github owned by CNCF to receive and organize security reports.

[arminru]

We're currently trying out an alternative to the setting introduced in #1715, and if it all works out well, we should be able to revert the setting in https://github.com/open-telemetry this week to resolve the issue reported here.

[arminru]

Our alternative approach worked out.
I enabled "Read" as the base permission on https://github.com/open-telemetry, so your workflows (both automated and manual) for assigning issues/PRs and requesting reviews should work again.

@evan-bradley please let me know if it works as expected.

[tigrannajaryan]

@arminru did we create a different github org for private repos or you found some other way to make this work?

[arminru]

It's in a separate org (also owned by the CNCF and under the enterprise account) now and all repos in https://github.com/open-telemetry/ are public anyway so having "Read" as base permissions there is fine.

[TylerHelmuth]

I saw the automations in contrib working today as expected

[evan-bradley]

I've tested it as well and this resolved the issue. Thank you!