Create github-mgmt stewards team with access to github-mgmt

[galargh]

This is a follow-up to #30

Related to #35 (comment)

It seems evident that we need a way to capture who should have write access to github-mgmt.

In this PR I create a new github-mgmt stewards team and give it write access to github-mgmt. I also revoke w3dt-stewards access, and I remove myself from admin collaborators because I get enough access from ipdx team membership.

The general idea is to build up github-mgmt stewards with users who are:

• familiar with GitHub Management
• trusted within the org
• want/need to be able to triage/merge PRs

[github-actions]

Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.

Terraform plans

ipfs

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # github_repository_collaborator.this["github-mgmt:galargh"] will be destroyed
  # (because key ["github-mgmt:galargh"] is not in for_each map)
  - resource "github_repository_collaborator" "this" {
      - id         = "github-mgmt:galargh" -> null
      - permission = "admin" -> null
      - repository = "github-mgmt" -> null
      - username   = "galargh" -> null
    }

  # github_repository_file.this["github-mgmt/CODEOWNERS"] will be updated in-place
  ~ resource "github_repository_file" "this" {
      ~ content             = <<-EOT
          - *       @ipfs/ipdx
          + # The ipdx team is responsible for GitHub Management maintenance
          + * @ipfs/ipdx
          + 
          + # The github-mgmt stewards team is responsible for triaging/reviewing configuration change requests
          + # The ipdx team is added here temporarily to witness use patterns in github-mgmt
          + /github/ipfs.yml @ipfs/github-mgmt-stewards @ipfs/ipdx
        EOT
        id                  = "github-mgmt/CODEOWNERS"
        # (9 unchanged attributes hidden)
    }

  # github_team.this["github-mgmt stewards"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + description               = "Users that are effectively org admins"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "github-mgmt stewards"
      + node_id                   = (known after apply)
      + privacy                   = "closed"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["github-mgmt stewards:aschmahmann"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "aschmahmann"
    }

  # github_team_membership.this["github-mgmt stewards:biglep"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "biglep"
    }

  # github_team_membership.this["github-mgmt stewards:guseggert"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "guseggert"
    }

  # github_team_membership.this["github-mgmt stewards:lidel"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "maintainer"
      + team_id  = (known after apply)
      + username = "lidel"
    }

  # github_team_membership.this["github-mgmt stewards:willscott"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "willscott"
    }

  # github_team_repository.this["github-mgmt stewards:github-mgmt"] will be created
  + resource "github_team_repository" "this" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + permission = "push"
      + repository = "github-mgmt"
      + team_id    = (known after apply)
    }

  # github_team_repository.this["w3dt-stewards:github-mgmt"] will be destroyed
  # (because key ["w3dt-stewards:github-mgmt"] is not in for_each map)
  - resource "github_team_repository" "this" {
      - etag       = "W/\"550a84fff0930e442a1903e52965cc33801c470167f7eedd160e17f5eb26c0f9\"" -> null
      - id         = "4656983:github-mgmt" -> null
      - permission = "maintain" -> null
      - repository = "github-mgmt" -> null
      - team_id    = "4656983" -> null
    }

Plan: 7 to add, 1 to change, 2 to destroy.

[BigLep]

I am good for you to merge.

I think you can remove w3dt-stewards now.

[BigLep]

Maybe make it so I am just a member so I too am forced to use github management?
We still have the escape hatch of true admins can use the UI

[galargh]

As long as you're an actual org admin, then you're a maintainer of all the teams you belong to. GitHub API will happily accept a request to change your role to member but it doesn't really do anything and a subsequent query for your role will still return maintainer.

Same goes for Adin and Lidel so I moved them up here too.

[galargh]

I updated the members list of org-admins and removed w3dt-stewards from github-mgmt.

[galargh]

Renamed org-admins team to github-mgmt stewards because, as my 1:1 w/ Steve showed, it was hard to distinguish between org admins and org-admins team.