[Jenkins-infra] Talking points for GitHub?
ml at beckweb.net
Mon Nov 6 20:27:49 UTC 2017
> On 6. Nov 2017, at 19:57, R. Tyler Croy <tyler at monkeypox.org> wrote:
> The lack of centralized management tooling across organizations, and the
> scalability challenges within a single organization, are two points on my
> todo-list for these discussions.
Any nontrivial batch operation using the API will hit the API limit pretty much immediately across 1500 repos, and there's no UI for batch operations across repos in an organization. Apparently having almost 2000 repos is not reason enough to get this limit raised.
"Projects" is a feature introduced fairly recently that is enabled by default. I can disable them for _all_ repos in the org (which I would if I could be reasonably sure there's no angry mob waiting for me with pitchforks), but no way to just disable them for all repos that don't already use projects. The same with wikis and issue trackers -- "disable all unused" should be reasonably easy to do, and that's just one example.
I can get no report about the configurations of the repos in an organization that would allow me a starting off point to standardize settings. (Not even a scale issue, just standardizing the 50 repos in jenkinsci-cert required writing a script -- the API is nice, but once it's needed for basic management of 2+ repos, something's off).
Fine-grained permission management at scale is a mess. Our approach with per-repo teams is pretty error-prone to begin with, sure, but just moving to 'external contributors' wouldn't solve it -- for example, how could we ensure that every contributor also needs to be an org member (which is required for features like mentioning even public teams)? I don't think this is possible. Since there's no tools to manage permissions at scale, or to get insight who's actually working on any given repo, I have no idea how to even start migrating off per-repo teams, and off the 'Everyone' team, without accidentally removing access that's needed.
In an org as large as jenkinsci it would also be REALLY useful to get a report that showed for any combination of repo x contributor when the last time a permission was used. It should be reasonably straightforward to for example remove permissions not used in the last N months (or years) to protect us better from compromised accounts that don't use their access anyway ("revoke everything and then restore after complaints" isn't really feasible for us). Sure, let's just require 2FA and remove ~60% of members from the organization…
Pending invitations (of which we have >100) don't show when they were sent out -- so no way to only revoke those that are older than N weeks.
I get an email every time someone adds a deploy key to a repo, but I cannot look for repos with deploy keys set up.
New options aren't added visible enough. For a long time, I was concerned about granting repo admin access, until it became possible to restrict the "danger zone" options -- something I, AFAIR, discovered by accident. As an owner of a large organization, these new management options should be announced more visibly. With 1500+ repos, members, and teams to manage, I'll probably care about every one of these.
Grouping/categorizing repos in some user-defined manner (not just Type/Language) would be useful. Core/Plugins/Libraries/… in the case of jenkinsci. Topics are nice but not really suited for this.
More information about the Jenkins-infra