PROPOSAL: Automatically remove approvers or maintainers with zero Dapr activity (group only)

[artursouza]

For security reasons, I propose we automate the removal of an user from approvers or maintainers groups if they did not have any GitHub activity on any Dapr repository for the past 6 months. This proposal is NOT to revoke the user's approver or maintainer status, it is just to remove from the group for security reasons, since it is unsafe to keep inactive accounts with write or admin permission. Also, this proposal does not make a distinction about which repositories the person is participating to remain "active". To track when a person is automatically removed, an issue should be automatically created and serve as a thread to discuss the person's membership status or for the person request to have access added again. In case the person wants to be re-added to the groups, the person would need to perform any "activity" - like simply commenting on an issue.

Summary:

• After 6 months, if an approver or maintainer did not have any GitHub activity in Dapr org, the person will be automatically removed from all groups (except Members) and an issue be created.
• The person's approver or maintainer status IS NOT automatically revoked - please, track this in another proposal if there is interest in this.
• Maintainers and STC can review the GitHub issues that were automatically created for the person to have a chance to ask for permissions again (can be a bug in the script), also the STC can decide if the person should no longer continue as an approver or maintainer - although that is not the goal of this proposal, it is a byproduct to flag the situation.
• If the person wants to be added back to the groups, then the person needs to perform any "activity" for the script not to flag it again in the next run - like commenting on an issue.
• The following activities will be considered for users to remain "active":
  • Create a pull request
  • Review a pull request
  • Create an issue
  • Comment on an issue
• Adding the person back to a group is a manual task and SHOULD NOT be automated.

Feedback on this proposal is welcome. The following points are specially important:

• Is 6 months the right time to trigger the "idle" status?
• For security reasons, should the job be repository specific instead?
• What should be and should not be considered "activity"?

Regarding discussions about automatically revoking a person's approver or maintainer status, please, discuss in another issue. This issue is to address a security concern.

[artursouza]

@msfussell @yaron2 After given enough time for community discussion, can STC vote on this?

[msfussell]

@artursouza Yes, we will bring this to the Feb STC meeting. For example Amulya Varote (Microsoft) @amulyavarote has not been active as a maintainer for over a year having moved projects

[mikeee]

• Is 6 months the right time to trigger the "idle" status?

I think 3 months / quarter is a fair point. You've made it clear the idea isn't related to revoking the status but more about maintaining integrity and protection against exposed accounts with write/admin access.

• For security reasons, should the job be repository specific instead?

I think the job and associated scripts alongside issues created should be housed in a separate repo. i.e. members
Each repo could then trigger dispatch events to the members repo on each valid activity to update the latest activity of each member recorded in some sort of manifest.

[msfussell]

Suggest that the script pings the maintainers after 3 months of non-activity. This can either be an email, or create an issue on the community repo and put a comment in this issue that then pings the github handle

[msfussell]

This proposal approved by STC