Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ER: Remove inactive members from team resources #4541

Closed
2 of 3 tasks
JessicaLucindaCheng opened this issue Apr 17, 2023 · 15 comments
Closed
2 of 3 tasks

ER: Remove inactive members from team resources #4541

JessicaLucindaCheng opened this issue Apr 17, 2023 · 15 comments
Assignees
Labels
Complexity: Large epic ER Emergent Request Feature: Administrative Administrative chores etc. Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues role: dev leads Tasks for technical leads size: 13+pt Must be broken down into smaller issues
Milestone

Comments

@JessicaLucindaCheng
Copy link
Member

JessicaLucindaCheng commented Apr 17, 2023

Note: This issue came from the Task List Dev Leads.

Emergent Requirement - Problem

Issue Description

Write an issue to figure out how to remove developers marked inactive in our roster from all team resources.

Update roster
  • First, we need to make sure our roster is up to date and mark any developers who are no longer active as inactive in the roster.
Clean up GitHub teams
Offboard from other resources

Who was involved

What happens if this is not addressed

Inactive developers maintain a level of access to our repo that they don't need (such as write or admin access) and it may make our repo less secure.

Resources

Recommended Action Items

  • Make a new issue
  • Discuss with the team
  • Let a Team Lead know

Potential solutions [draft]

@JessicaLucindaCheng JessicaLucindaCheng added Feature: Administrative Administrative chores etc. Complexity: Large ready for dev lead Issues that tech leads or merge team members need to follow up on size: 8pt Can be done in 31-48 hours role: dev leads Tasks for technical leads epic Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues Issue Making: Level 5 Make a Rollout Plan that has >1 epics to achieve and timelines for interdependencies size: 13+pt Must be broken down into smaller issues and removed Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues Issue Making: Level 5 Make a Rollout Plan that has >1 epics to achieve and timelines for interdependencies size: 8pt Can be done in 31-48 hours labels Apr 17, 2023
@JessicaLucindaCheng JessicaLucindaCheng added ready for dev lead Issues that tech leads or merge team members need to follow up on and removed ready for dev lead Issues that tech leads or merge team members need to follow up on labels Apr 25, 2023
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone May 7, 2023
@t-will-gillis

This comment was marked as outdated.

@t-will-gillis

This comment was marked as resolved.

@ExperimentsInHonesty

This comment was marked as resolved.

@ExperimentsInHonesty

This comment was marked as resolved.

@t-will-gillis t-will-gillis removed the ready for dev lead Issues that tech leads or merge team members need to follow up on label Nov 28, 2023
@t-will-gillis

This comment was marked as resolved.

@roslynwythe

This comment was marked as resolved.

@t-will-gillis

This comment was marked as resolved.

@t-will-gillis

This comment was marked as resolved.

@JessicaLucindaCheng JessicaLucindaCheng added the ER Emergent Request label Jan 26, 2024
@ExperimentsInHonesty

This comment was marked as resolved.

@t-will-gillis

This comment was marked as resolved.

@JessicaLucindaCheng

This comment was marked as resolved.

@ExperimentsInHonesty
Copy link
Member

ExperimentsInHonesty commented Feb 5, 2024

Summary of the items that remain (draft)

  • remove the user from the Google Drive (see notes below about tables team scripts)
    • WG: Done as of 2/23: via a Google Apps Script using [email protected] account, removing "Inactive" and unaffiliated members now, scheduled to run once monthly

    • WG: Note: I have been manually updating membership statuses, linking up emails to github handles, and more to clean up the Website Drive, but notice that Rabia is doing the same thing. So as not to waste time duplicating efforts, I have stopped manually updating. Script running/ auto-updates now

  • write a GHA if possible and if not a Google app script to update the users status as inactive when the member is removed from the repo.
    • WG: Done as of 2/19: via a Google Apps Script using [email protected] account for the token to access GitHub.
  • confirm that the solution does the following:
    • Makes sure the user on the write team, is also on the read team
      • WG: Done please note however: schedule-monthly.yml checks if user is on 'website' team prior to removal and adds them if they aren't.
    • remove the user from the write team
      • WG: Done. schedule-monthly.yml doing this
    • if user has maintainer status on the write team it removes it.
      • WG: Update: discussed at 2/26 meeting: won't use maintainer to block. Automation will completely remove the "Inactive" + "maintainer" from the 'website-write' team.
        • this is a different behavior than what we have been doing. Currently, if user has "maintainer" status they are protected from removal- the automation logs comment that "This inactive member is a 'Maintainer': xxxxxx" and then skips them
    • updates the roster, to make the member be inactive
      • WG: Done as of 2/19. See above also. Script is automatically updating column B on the Roster, once daily (at 9:32 pm for the last several days)
    • close their prework issue
    • unassign them from any open issue they are assigned to and move the issue to ??? and add ??? label
      • WG: Not done as shown
        • 2/25 Current automation will log the inactive member and the number or the open issue to which the inactive member is assigned, so that any may be reviewed. Incorporated into Edits to contributors-data.js and schedule-monthly.yml #6193
        • As an example: if we do this then the bot would be removing 'wanyuguan' & 'n2020h' from 'website-write' and unassigning them from their issues- Is this what we want to have happen?

Things this won't do for now (merge or lead specific)

@t-will-gillis
Copy link
Member

t-will-gillis commented Feb 5, 2024

UPDATE 2/11/24:

  • Closed all Pre-work Checklists from Inactive members.

Google Sheets 'Roster' file: Up and running as of 2/19

TL;DR Automation is running as of today,

  • The working Google Apps Script file and keys are accessible/ editable only through the Gmail account for [email protected] (credentials same as for email).

  • The automation runs daily at 9-10 pm, and checks for the list of "Active" users on the 'website-write' team, then logs the list to a Google Sheet inside the bot account.

  • The Roster imports this list from the bot account into Column 'B'

  • (The automation is purposefully attached to the limited-access hackforla-bot account so that GitHub and Google keys/ secrets are not easily accessible)

  • Column 'F/G' "Permissions" is NOT updated, still manual

  • See comments above also.

APIs - Have written a Google Apps Script to call GitHub and update members in my repo. Need to transfer script to the Roster, and authorize the script without making the token visible (via an environment variable? if someone know how to do this... ).

  • Col B 'Status':

    • Google Apps Script is ready to be transferred to Roster: whose account, hiding access key?
    • From 2/12 meeting: use "GitHub Bot" account
    • Snag is that not all of current "Leads" are "Active" --> should all of these people be leads?
  • Col F 'Permissions':

    • Script could update 'Merge Team' easily, but not 'Lead's
  • Cols M-Q: Need anything here?

  • I mis-stated the above regarding the "Lead" designation for 'Permissions'- my question should be: If someone is marked as a "Lead" on the Roster, should this be tied to some aspect of the Website teams? For example, some people that are identified as "Leads" are gone completely from the website (Alex Stubbs, Harish) and some are normal members with no special status (Isaac Cruz, Saumil).
    - Note I am only asking the question if you would like me to do something. If not, I can ignore also.

Google Drive 'HfLA.org Website' Up and running as of 2/23

  • The working Google Apps Script file and keys are accessible/ editable only through the Gmail account for [email protected] (credentials same as for email).

  • The automation currently set to run monthly at 3 am on the 2nd.

  • The automation runs daily at 9-10 pm, and checks for the list of "Active" users on the 'website-write' team, then logs the list to a Google Sheet inside the bot account.

  • The Roster imports this list from the bot account into Column 'B'

  • (The automation is purposefully attached to the limited-access hackforla-bot account so that GitHub and Google keys/ secrets are not easily accessible)
    TL; DR: File is partially, manually updated as of today. Can finish manually except need guidance on access settings.

  • See previous comment. I am abandoning manual updates to the Drive since Rabia has now also started doing the same thing

  • I need to explore further about using scripts to update Drive access. Update from 2/12 meeting: WG given access to Tables. There are GA Scripts for changing/adding members to Drive.

  • Are there other members who should have or retain higher level of access? For example:

    • Current "Content manager"s: John Guan, Zoe Zhong, etc. (People that were given this access in the past)
    • Current "Contributor"s: Chelsey Beck, Adam Abundis, etc. (People that are Leads elsewhere)
    • Update from 2/12 meeting: If the person is "Inactive" their access to the Drive should be "Viewer". NOT CORRECT per discussion with Rabia
  • Assuming other Google Drive(s) out of scope e.g. the Admin drive

  • Assuming that updates to 1Password out of scope

  • Assuming that Figma access out of scope

  • All correct, see Bonnie's comment above

@JessicaLucindaCheng JessicaLucindaCheng changed the title ER from TLDL: Remove inactive members from team resources ER: Remove inactive members from team resources Feb 8, 2024
@ExperimentsInHonesty
Copy link
Member

@t-will-gillis
Copy link
Member

See comments below:

  • First, we need to make sure our roster is up to date and mark any developers who are no longer active as inactive in the roster.
  • Before removing anyone from a team, make sure they are on the website team in GitHub (https://github.com/orgs/hackforla/teams/website) already, which gives them only read access to the repo. This makes sure it doesn't mess up any work they did (issues they were assigned to and completed, prs they opened, etc). In the past, people may not have been added to the website team in GitHub when they joined so that's why we need to check that they are on the website team in GitHub.

See comments from Bonnie above regarding other Team Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Complexity: Large epic ER Emergent Request Feature: Administrative Administrative chores etc. Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues role: dev leads Tasks for technical leads size: 13+pt Must be broken down into smaller issues
Development

No branches or pull requests

4 participants