GitHub Access & Team Structure

All openedx GitHub repository access is managed through GitHub Teams. Do not grant any repoistory access directly to users. This system helps us audit and understand the access that we grant, both to contributors and to our own tools.

We also use GitHub Teams for other purposes: granting access to GitHub Projects (aka boards), mentioning groups of people, assigning maintainers in Backstage, and assigning watchers in GitHub Code Owners.

Axim needs to keep the team and access structure consistent for the safety of the project, for fairness to contributors, and for our own sanity.

 

Who can access what

 

 

Core Contributors (Applies to all roles, unless indicated otherwise)

2U & Direct Contractors

Other Contributors

 

 

Core Contributors (Applies to all roles, unless indicated otherwise)

2U & Direct Contractors

Other Contributors

 

 

 

ORGANIZATION

Owner

Grant these only to Axim Engineering employees following an affirmative CC vote for the Coding Contributor role plus org owner rights.

Only Axim Engineering employees may have administrative rights.

 

Member

CCs generally are already organization members. If they are not, they should be added during CC onboarding.

2U engineers should be added to the organization as part of their onboarding.

Grant to those who want to participate in issues/projects because they’re actively contributing to some part of Open edX. Be liberal with this access--we have unlimited seats in the organization. We do an annual audit to remove inactive contributors from the organization.

 

 

 

 

REPOSITORY

Triage

To unblock project & issue participation, the openedx-triage team grants triage access to every repository, to everyone in the organization.

Write to “issues-only” repos

Following a positive CC onboarding , all of these these should be granted to all Coding CCs via the committers team so that they can (a) edit issues other than their own and (b) manage repository milestones.

Non-Coding CCs can not be granted write access to any repository as coding CCs sign a different CC agreement that specifically covers contributions made in commits in git. Individuals seeking write access to non-code repos, such as docs repos and issue-only repos, still need to join the program as a Coding CC.

2U engineers have legacy write access to a variety of repositories, granted via 2u-* teams. To gain new write access, 2U engineers must follow the expansion of responsibilities process, borrowed from the CC program. The rationale and details for this are explained here:

 

These folks are not covered under any CLA, so they cannot commit to the project, code or otherwise.

Write to all other repos

Following a positive CC onboarding or CC rights expansion vote for the particular repo in question, these can be granted to Coding CCs only via:

  • one or more committers-$TOPIC teams (PREFERRED) or

  • the Coding CC’s own ccp-committer-$USERNAME team.

The sum of a CC’s write access grants should match this page: . If this page doesn’t match reality, then the source of truth is to be found in the result of the votes on the forums--you might have to do some digging.

Non-Coding CCs can not be granted write access to any repository (see above).

Maintain

This grants the ability to modify branch protection rules, so only Axim Engineers who are Coding CCs may be granted it.

Admin

This grants the ability to modify branch protection rules and manage team/user access, so only Axim Engineers who are Coding CCs may be granted it.

 

PROJECT (aka BOARDS)

Write

Not formally managed. Can be granted by project admins at their discretion.

Not formally managed. Can be granted by project admins at their discretion. Also requires being a member of the organization (see above).

Admin

Not formally managed. Can be granted at Axim’s discretion.

If someone is running a project, they should probably be a Core Contributor. Raise to Axim Engineering if this becomes an issue.

Team names and types

Use only lowercase letters, numbers, and hyphens to name teams. No uppercase, no spaces, no special chars.

Choose team names that get more specific as you read them from left to right. For example: 2u-enterprise-quokkas follows the pattern COMPANY-TEAM-SUBTEAM.

Teams are organized by prefix:

Prefix

Who

Access

Examples (these don’t all exist…. yet)

Prefix

Who

Access

Examples (these don’t all exist…. yet)

openedx-

Teams related to managing the Open edX project itself.

Varies depending on need. Sometimes write, sometimes maintain, sometime admin. Follows the principle of least privilege.

The openedx-triage team is special team that grants triage on everything, so no other team should ever need to grant triage or read.

openedx-triage

openedx-release-managers (Grants maintain access to all community release repos.)

openedx-product

bot-

Bot accounts that need access to repositories. Generally one bot per team, although bots could be grouped together if it makes sense.

Ideally, the lowest level of access (write/maintain/admin) that the bot needs in order to function, granted on the smallest number of repositories possible.

bot-requirements

bot-semantic-release

cla-checker (needs renaming)

committers-

A subset of Coding Core Contributors, organized around an area of expertise or contribution topic.

Grants write access to a single repo or a set of related repos.

committers (All Coding CCs. Grants write to open-edx-proposals + all issues-only repos.)

Broad group examples:

  • committers-analytics

  • committers-events

  • committers-frontend

More-specific examples:

  • committers-frontend-apps

  • committers-frontend-base

Single repo examples:

  • committers-frontend-build

  • committers-frontend-app-ora-grading

ccp-committer-USERNAME

Temporary: A team containing a single Coding Core Contributor through which their access was granted.

We are moving away from these and towards committers- teams.

Grants write access to a set of repos.

ccp-committer-agrendalath

ccp-committer-regisb

2u-

Teams or sub-teams at 2U.

Just write on the specific repositories that the team works on.

2u-edx-legacy (Formerly push-pull-all. Grants write access to ~100 repos to all 2U/edX employees.)

2u-teaching-and-learning

2u-teaching-and-learning-oncall

2u-cosmonauts

2u-enterprise

2u-enterprise-quokkas

COMPANY-

Firms/companies/orgs or teams within them.

None

axim-engineering

axim-engineering-oncall

opencraft

opencraft-bebop

wg-NAME-

Teams related to the working group <GROUPNAME>.

None

wg-build-test-release

wg-build-test-release-chair

wg-maintenance-NAME

Teams responsible for maintaining a repo (or set of repos)

None

wg-maintenance-paragon

interest-

Teams in the community that are centered around a shared project, interest, activity, background, etc.

None

interest-performance

< anything that doesn’t fit the pattern above >

This is a legacy team that will be deleted or renamed by Axim in the near future.

Varies