mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
2ca88cf8c4
Bumps the action-dependencies group with 3 updates in the / directory: [actions/upload-artifact](https://github.com/actions/upload-artifact), [actions/github-script](https://github.com/actions/github-script) and [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish). Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](bbbca2ddaa...043fb46d1a) Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](ed597411d8...3a2844b7e9) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](ed0c53931b...cef221092e) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: action-dependencies - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: action-dependencies - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: action-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
56 lines
2.7 KiB
YAML
56 lines
2.7 KiB
YAML
name: Maintainer review reminder
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '10 10 10 2 *'
|
|
workflow_dispatch:
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
file-reminder-issue:
|
|
name: File issue to review maintainer permissions
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
issues: write
|
|
steps:
|
|
- uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
script: |
|
|
await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: "Yearly maintainer permissions review",
|
|
body: `
|
|
This is a checklist for evaluating python-tuf maintainer accounts and permissions. This issue is automatically opened once a year.
|
|
|
|
### Tasks
|
|
|
|
1. Update this list to include any new services
|
|
2. Evaluate the accounts and permissions for each service on the list. Some rules of thumb:
|
|
* Critical services should have a minimum of 3 _active_ maintainers/admins to prevent project lockout
|
|
* Each additional maintainer/admin increases the risk of project compromise: for this reason permissions should be removed if they are no longer used
|
|
* For services that are not frequently used, each maintainer/admin should check that they really are still able to authenticate to the service and confirm this in the comments
|
|
3. Update MAINTAINERS.txt to reflect current permissions
|
|
4. (Bonus) Update significant contributors in README.md#acknowledgements
|
|
|
|
### Critical services
|
|
|
|
* [ ] **PyPI**: maintainer list is visible to everyone at https://pypi.org/project/tuf/
|
|
* Only enough maintainers and org admins to prevent locking the project out
|
|
* [ ] **GitHub**: release environment reviewers listed in https://github.com/theupdateframework/python-tuf/settings/environments
|
|
* Maintainers who can approve releases to PyPI
|
|
* [ ] **GitHub**: permissions visible to admins at https://github.com/theupdateframework/python-tuf/settings/access
|
|
* "admin" permission: Only for maintainers and org admins who do project administration
|
|
* "push/maintain" permission: Maintainers who actively approve and merge PRs (+admins)
|
|
* "triage" permission: All contributors trusted to manage issues
|
|
|
|
### Other
|
|
|
|
* [ ] **ReadTheDocs**: admin list is visible to everyone at https://readthedocs.org/projects/theupdateframework/
|
|
* [ ] **Coveralls**: everyone with github "admin" permissions is a Coveralls admin: https://coveralls.io/github/theupdateframework/python-tuf
|
|
`
|
|
})
|
|
console.log("New issue created.")
|
|
|
|
|