We would like to add github.com/wikimedia as an SCM for Semgrep Cloud. We would plan to only use this as a means of controlling auth/access to the commercial Semgrep supply chain tool and would not plan to use it as a means of automating scans against repos under the Wikimedia github org. There is also an option where we could theoretically use Wikimedia's Gitlab installation as an auth provider/SCM, but I'm not sure if that would actually be any better/safer.
Description
Event Timeline
@sbassett im not sure who manages the github account. for noa ill tag collaboration-services who manage gitlab and Release-Engineering-Team hopefully someone there should be able to help
Hey @jbond - I had been talking to @Clement_Goubert on Slack about this, so that's why I tagged them/SRE. In theory, anyone with github org owner privileges could perform this request. Though since I don't think we've ever done anything like this before, and there are maybe a few minor security concerns, I wanted to create this task.
We don't really have a relation to the github Wikimedia organization either.
Let's keep access requests on tickets and not in ad-hoc chats. The current situation is partially due to this having "grown organically" in the past when people clicked based on pings.
I think this needs manager involvement and a general policy because there doesn't seem to be a list of who has access in Github or how they got it and overlap with WMF teams is coincidental if it exists at all.
Yep, that was a result of Clement's and my Slack conversation and why this task was filed.
I think this needs manager involvement and a general policy because there doesn't seem to be a list of who has access in Github or how they got it and overlap with WMF teams is coincidental if it exists at all.
Sure, as long as that doesn't derail this and other requests for several years.
@LSobanski will connect on this to gather more information and discuss on next steps.
Maybe the admins listed here would be able to help: https://wikitech.wikimedia.org/wiki/Techblog.wikimedia.org#GitHub_repos just based on "somehow they can create private repos on github".
because there doesn't seem to be a list of who has access in Github
For the records, https://github.com/orgs/wikimedia/people?query=role%3Aowner provides a list of "owners".
I'm going to decline this for now as @bcampbell and I set up Wikimedia's Okta as an SSO provider for the Semgrep Cloud Dashboard. Still, it would be nice if there was more of a process/ownership around this sort of thing, as many vendors tend to support github/gitlab auth and automation for this and similar tools.