Pre-defined groups and roles

[lancehampton]

To provide a solid starting point for new organizations we should define various groups and roles according to best practices for supply chain security. The upstream Terraform provider for GitHub supports the necessary resources, we just need to pre-define them as modules here.

References

• Organization Roles
• Repository Roles
• Custom Roles

Possible Starter Roles

• Full/Super Admin - admin on all repos and is an org owner, can override app deployments
• App Developers - access to a specific App repos, can push and pull code, cant approve deployments
• App Approvers - approve deployments and review code, but cannot push code changes to the app
• Emergency Bypass - small group with auth to bypass multiple reviewers requirement
• GitHub Admins - can update module inputs to change settings, create repos, etc.
• Security Managers - for the ISSM to review repo/code security dashboard for the entire org