Refresh ORAS governance guide and process

[FeynmanZhou]

As the ORAS community is growing fast in recent months, we see new contributors are being more active and subprojects/repos are newly created, there were also a few maintainers/owners not active in the 6 months.

As a CNCF Sandbox project, we need to look back at the existing ORAS governance guide and process, refresh them to adapt our community status and growth, and ensure the ORAS community has a healthy and open governance model. I will use the CNCF Project Guidance as a reference.

I would like to use this issue to list the key items we need to implement and gather further ideas for shaping good governance. I believe it will incentivize more users to become long-term, active, and engaged members of the community if we have a healthy governance model and documents. Let us know if you have any suggestions.

• Have a clear process of setting up a new subproject/repository and document it in the ORAS governance guide
• Have the correct code owner file (CODEOWNERS) in each repo. Currently, it mistakenly uses the markdown file as the code owner file in each repo, e.g. OWNERS.md
• Have a central place to list all subproject maintainers and owners, then sync it to the CNCF maintainer list. It relates to Create a doc to list ORAS subproject owners #23
• Have a clear contributing guide for code and non-code contributions on the website, serving the major ORAS subprojects. It relates to Create a contribution guide for ORAS #20 and feat: Add contributing document oras-www#90
• Define a new role for the subproject maintainer; have clear criteria for nominating and onboarding a new maintainer. Document it in the ORAS governance guide
• Ask the inactive subproject/org owners regarding their willingness to reserve or step down
• Have matched permissions and GitHub Team members configured. Currently, they are misconfigured or outdated

In addition, the security policy and branch policy should be considered and added for the second phase.

[shizhMSFT]

CODEOWNERS files are created according the OWNERS.md file per repository.
New maintainers should be onboarded to MAINTAINERS.md and CODEOWNERS. OWNERS.md should only contain owners / admins.

Here are the PR links to individual repositories.

• chore: add CODEOWNERS based on OWNERS.md oras#811
• chore: add CODEOWNERS based on OWNERS.md oras-go#444
• chore: add CODEOWNERS based on OWNERS.md oras-py#75
• chore: add CODEOWNERS based on OWNERS.md oras-www#115
• chore: add CODEOWNERS based on OWNERS.md #29
• chore: add shizhMSFT to CODEOWNERS and OWNERS.md setup-oras#3

[toddysm]

I think we should have separate issue for each of the work items above so we can have a discussion about the updates before we make those. Else we will bulk the discussions in this issue and it will not be clear what the outcome is. Governance changes are important and each individual change should be discussed separately. I have filed #33 for addressing the first from the list above.