GitHub Access & Team Structure
All openedx GitHub repository access is managed through GitHub Teams. Do not grant any repoistory access directly to users. This system helps us audit and understand the access that we grant, both to contributors and to our own tools.
We also use GitHub Teams for other purposes: granting access to GitHub Projects (aka boards), mentioning groups of people, assigning maintainers in Backstage, and assigning watchers in GitHub Code Owners.
Axim needs to keep the team and access structure consistent for the safety of the project, for fairness to contributors, and for our own sanity.
Who can access what
|
| Core Contributors (Applies to all roles, unless indicated otherwise) | 2U & Direct Contractors | Other Contributors |
---|---|---|---|---|
ORGANIZATION | Owner | Grant these only to Axim Engineering employees following an affirmative CC vote for the Coding Contributor role plus org owner rights. | Only Axim Engineering employees may have administrative rights.
| |
Member | CCs generally are already organization members. If they are not, they should be added during CC onboarding. | 2U engineers should be added to the organization as part of their onboarding. | Grant to those who want to participate in issues/projects because they’re actively contributing to some part of Open edX. Be liberal with this access--we have unlimited seats in the organization. We do an annual audit to remove inactive contributors from the organization.
| |
REPOSITORY | Triage | To unblock project & issue participation, the openedx-triage team grants triage access to every repository, to everyone in the organization. | ||
Write to “issues-only” repos | Following a positive CC onboarding , all of these these should be granted to all Coding CCs via the committers team so that they can (a) edit issues other than their own and (b) manage repository milestones. Non-Coding CCs can not be granted write access to any repository as coding CCs sign a different CC agreement that specifically covers contributions made in commits in git. Individuals seeking write access to non-code repos, such as docs repos and issue-only repos, still need to join the program as a Coding CC. | 2U engineers have legacy write access to a variety of repositories, granted via 2u-* teams. To gain new write access, 2U engineers must follow the expansion of responsibilities process, borrowed from the CC program. The rationale and details for this are explained here: Granting write access to repos in the openedx org
| These folks are not covered under any CLA, so they cannot commit to the project, code or otherwise. | |
Write to all other repos | Following a positive CC onboarding or CC rights expansion vote for the particular repo in question, these can be granted to Coding CCs only via:
The sum of a CC’s write access grants should match this page: Core Contributors to the Open edX Project . If this page doesn’t match reality, then the source of truth is to be found in the result of the votes on the forums--you might have to do some digging. Non-Coding CCs can not be granted write access to any repository (see above). | |||
Maintain | This grants the ability to modify branch protection rules, so only Axim Engineers who are Coding CCs may be granted it. | |||
Admin | This grants the ability to modify branch protection rules and manage team/user access, so only Axim Engineers who are Coding CCs may be granted it. | |||
PROJECT (aka BOARDS) | Write | Not formally managed. Can be granted by project admins at their discretion. | Not formally managed. Can be granted by project admins at their discretion. Also requires being a member of the organization (see above). | |
Admin | Not formally managed. Can be granted at Axim’s discretion. | If someone is running a project, they should probably be a Core Contributor. Raise to Axim Engineering if this becomes an issue. |
Team names and types
Use only lowercase letters, numbers, and hyphens to name teams. No uppercase, no spaces, no special chars.
Choose team names that get more specific as you read them from left to right. For example: 2u-enterprise-quokkas follows the pattern COMPANY-TEAM-SUBTEAM.
Teams are organized by prefix:
Prefix | Who | Access | Examples (these don’t all exist…. yet) |
---|---|---|---|
openedx- | Teams related to managing the Open edX project itself. | Varies depending on need. Sometimes write, sometimes maintain, sometime admin. Follows the principle of least privilege. The openedx-triage team is special team that grants triage on everything, so no other team should ever need to grant triage or read. | openedx-triage openedx-release-managers (Grants maintain access to all community release repos.) openedx-product |
bot- | Bot accounts that need access to repositories. Generally one bot per team, although bots could be grouped together if it makes sense. | Ideally, the lowest level of access (write/maintain/admin) that the bot needs in order to function, granted on the smallest number of repositories possible. | bot-requirements bot-semantic-release cla-checker (needs renaming) |
committers- | A subset of Coding Core Contributors, organized around an area of expertise or contribution topic. | Grants write access to a single repo or a set of related repos. | committers (All Coding CCs. Grants write to open-edx-proposals + all issues-only repos.) Broad group examples:
More-specific examples:
Single repo examples:
|
ccp-committer-USERNAME | Temporary: A team containing a single Coding Core Contributor through which their access was granted. We are moving away from these and towards committers- teams. | Grants write access to a set of repos. | ccp-committer-agrendalath ccp-committer-regisb |
2u- | Teams or sub-teams at 2U. | Just write on the specific repositories that the team works on. | 2u-edx-legacy (Formerly push-pull-all. Grants write access to ~100 repos to all 2U/edX employees.) 2u-teaching-and-learning 2u-teaching-and-learning-oncall 2u-cosmonauts 2u-enterprise 2u-enterprise-quokkas |
COMPANY- | Firms/companies/orgs or teams within them. | None | axim-engineering axim-engineering-oncall opencraft opencraft-bebop |
wg-NAME- | Teams related to the working group <GROUPNAME>. | None | wg-build-test-release wg-build-test-release-chair |
wg-maintenance-NAME | Teams responsible for maintaining a repo (or set of repos) | None | wg-maintenance-paragon |
interest- | Teams in the community that are centered around a shared project, interest, activity, background, etc. | None | interest-performance |
< anything that doesn’t fit the pattern above > | This is a legacy team that will be deleted or renamed by Axim in the near future. | Varies |
|