Investigate and define Codeowners file recommendation for projects

[tim-schilling]

Seth Larson, PSF security developer in residence, recommended that we use the codeowners file to lock down specific areas of projects. This can make it easier for everyone to have write permissions in other areas of the project, then limit the sensitive parts to specific people.

I'm not 100% sure how far we want to take this, or in what regard. Projects can use this file to be very permissive with the commit permission. Or we can use this for projects to need Django Common's admins permissions. Perhaps this is something we utilize when we have a new person adopt an abandoned project so that the admins are a bit involved until the person has proven they can be trusted?

[williln]

Bringing over the link to urllib3's CODEOWNERS from your email:

https://github.com/urllib3/urllib3/blob/98634f7a5a0f39029a21e9f49e9066a8f99a1515/.github/CODEOWNERS#L1-L8

We are already using GitHub Teams so I think we are well-placed to start using this. I took a look at our projects and I don't think we have anyone now who uses a codeowners file. Making sure that changes to the production terraform values in the membership repo get reviewed by an admin, for example, seems like a good use case.

In terms of other projects, is this something we would want to blog about and encourage our projects to adopt via a Discussion post, and maybe adding it to the Best Practices repo?

I do think your example use case about using it to have the admin team in place as a safety net for projects is a good one.

[tim-schilling]

Yes to all of your points!

• Let's lock down our terraform variables
• We should blog about using it internally and how other projects could use it too
• We should add it to the best practices repo if there's a good universal way to do it

[tim-schilling]

I've configured our main branch to have some basic preventative measures. I did set it up so that admins can by-pass the configurations. I think we're still in a window where some of us may need to make several terraform changes in a row and I don't want to make that even more difficult. If folks disagree, please speak up because I'm happy to be wrong here.

[ryancheley]

Allowing admin bypass makes sense for now. I think we may want to add it as a standing agenda item to review every X meetings, or something like that, to see if it should still be in place