diff --git a/docs/org-audit-2026-06-04.md b/docs/org-audit-2026-06-04.md index bc24ca3..7da069b 100644 --- a/docs/org-audit-2026-06-04.md +++ b/docs/org-audit-2026-06-04.md @@ -16,90 +16,126 @@ ## Critical -- [ ] **1. Enable 2FA requirement** — Settings → Authentication security → "Require two-factor authentication" - - _Prerequisite: post Slack announcement and give 1–2 weeks notice before enabling_ - - _Impact: members without 2FA are auto-removed from org on enforcement date_ +- ⏳ **1. Enable 2FA requirement** — Settings → Authentication security → "Require two-factor authentication" + - _Post Slack announcement first; give 1–2 weeks notice before enabling_ + - _Table for Saturday org meeting_ --- ## High - [ ] **2. Revoke Travis CI GitHub App** — Settings → GitHub Apps → Travis CI → Revoke - - _Zero repos use it. No breakage risk. Can be done immediately._ + - _Zero repos use it. No breakage risk. Do before Saturday._ -- [ ] **3. Scope Slack app permissions** — Settings → GitHub Apps → Slack → Configure +- [ ] **3. Scope Slack app permissions** — Must be done via UI - _Currently: `repository_selection: all` with `contents: write` + `workflows: write`_ - - _Target: restrict to specific repos it posts from, OR replace with official GitHub-for-Slack integration_ - - _Needs coordination: confirm which repos/channels are actively using the integration_ - -- [ ] **4. Restrict GitHub Actions to trusted sources** — Settings → Actions → General → "Allow select actions" - - _Currently: `allowed_actions: "all"`_ - - _Target settings:_ - - ✅ Allow actions created by GitHub - - ✅ Allow Marketplace-verified creators - - Patterns: `peaceiris/*`, `ruby/*` - - _Used non-GitHub actions: `peaceiris/actions-gh-pages` (2 repos), `ruby/setup-ruby` (1 repo)_ - -- [ ] **5. Enable secret scanning + push protection org-wide** — Settings → Code security and analysis - - _Currently enabled on only 6 of 35 repos_ - - _Target: "Enable all" for both secret scanning and push protection_ + - _Go to: github.com/organizations/CivicTechWR/settings/installations → Slack → Configure_ + - _Change to "Only select repositories" — run `/github subscriptions` in Slack to see what's active_ + - _Table for Saturday (needs coordination)_ + +- [ ] **4. Restrict GitHub Actions to trusted sources** — Settings → Actions → General + - _Target: GitHub-owned + Marketplace-verified + `peaceiris/*`, `ruby/*`_ + - _Can do before Saturday — no breakage_ + +- [ ] **5. Enable secret scanning + push protection org-wide** — Settings → Code security and analysis → "Enable all" - _Include in Slack announcement_ -- [ ] **6. Enable Dependabot alerts org-wide** — Settings → Code security and analysis - - _Currently enabled on only 4 repos_ - - _Target: "Enable all"_ +- [ ] **6. Enable Dependabot alerts org-wide** — Settings → Code security and analysis → "Enable all" - _Include in Slack announcement_ --- -## Medium (requires human judgment) +## Medium - [x] **7. Stale membership audit — first pass (2026-06-04)** - _Removed from org:_ `jeffwoods`, `KristinaTaylor`, `ToddTurnbull` - - _Demoted from Organizers team (still org members):_ `hjroaf`, `middlekidd`, `coleWesterveld` - - _~50 inactive low-risk members remain — batch removal pending 2FA notice window (item 1)_ + - _Demoted from Organizers team:_ `hjroaf`, `middlekidd`, `coleWesterveld` + - _Cleaned up:_ `BreakableHoodie` removed from project teams they didn't contribute to + - _~50 inactive low-risk members remain — batch removal after 2FA notice window_ - _TODO: document offboarding cadence in `CTWR-Organization-Documentation`_ - [x] **8. Outside collaborator review (2026-06-04)** - - _Removed:_ `aulakhznavreen`, `gohbi`, `JohnBuni`, `Kyle-Hawkins`, `msmel01`, `sarayyjaan`, `keriwarr`, `lcik` - - _Converted:_ `aleeeeeeeena` — admin access on `project-union-coop` revoked; invited to `project-union-coop` team (push). **Invite pending acceptance.** - - _Kept:_ `sae-br` — only remaining outside collab; active on `accessible-housing-portal`. Invite to org and add to team. **Tabled for Saturday.** - -- [x] **9. Assign project teams to repos + RBAC cleanup (2026-06-04)** - - _Added_ `wrvotes(push)` → `WRVotesMunicipal2022`, `WRVotesProv2025`, `WRVotesFed2025`, `WRvotesMunicipal2018` - - _Added_ `project-union-coop(push)` → `project-union-coop` - - _Added_ `website(push)` → `blog`, `ctwr-web` - - _Created_ `accessible-housing-portal` team (push) with `adinschmidt`, `jliu1016`, `ehharvey` - - _Renamed_ `project-lomo-admins` → `project-lomo-leads`; permission Admin → Maintain - - _Renamed_ `project-ploughshares-leads` permission Admin → Maintain - - _Removed_ 29 redundant direct user-to-repo assignments - - _Removed_ `BreakableHoodie` from `project-lomo-leads` (not a project contributor) - - _No team yet:_ `project-pech`, `epwr_case_management` — tabled for Saturday + - _Removed (8):_ `aulakhznavreen`, `gohbi`, `JohnBuni`, `Kyle-Hawkins`, `msmel01`, `sarayyjaan`, `keriwarr`, `lcik` + - _Converted:_ `aleeeeeeeena` — admin revoked; invited to `project-union-coop` team (push). **Invite pending.** + - _Invited to org:_ `sae-br` — active contributor on `accessible-housing-portal`; added to team. **Invite pending.** + - _Remaining outside collabs:_ `sae-br` (will resolve on invite acceptance) + +- [x] **9. RBAC model + team restructure (2026-06-04)** + + **Permission fixes:** + - `project-lomo-admins` renamed → `project-lomo-leads`, Admin → Maintain + - `project-ploughshares-leads` Admin → Maintain + - `midtown-radio-app` Maintain → Write (push) + - `go-train-pass-project-team` Maintain → Write (push) + + **Leads teams created (Maintain):** + | Team | Repo(s) | Lead(s) | + |------|---------|---------| + | `wrvotes-leads` | All 7 WRvotes repos | acant, pnijjar | + | `go-train-leads` | `go-train-group-pass` | jliu1016 | + | `project-union-coop-leads` | `project-union-coop` | jliu1016 | + | `accessible-housing-portal-leads` | `accessible-housing-portal` | jliu1016 | + | `epwr-case-management-leads` | `epwr_case_management` | jliu1016, indyng (pending) | + | `project-pech-leads` | `project-pech` | indyng (pending) | + + **New contributor teams created (Write):** + - `accessible-housing-portal` — adinschmidt, jliu1016, ehharvey + - `project-pech` — j2fyi, writingindy, NipunGrover + - `epwr-case-management` — jliu1016 + + **Team-to-repo assignments added:** + - `wrvotes(push)` → WRVotesMunicipal2022, WRVotesProv2025, WRVotesFed2025, WRvotesMunicipal2018 + - `project-union-coop(push)` → project-union-coop + - `website(push)` → blog, ctwr-web + + **Direct assignments cleaned up:** 29+ redundant direct user-to-repo grants removed + + **Pending invites:** + - `aleeeeeeeena` — project-union-coop team + - `sae-br` — accessible-housing-portal team + - `indyng` — project-pech-leads + epwr-case-management-leads - [ ] **10. Open issue: branch protection coverage** - - _Active repos with no branch protection:_ - - `WRvotes`, `CTWR-Organization-Documentation`, `WRVotesMunicipal2022`, `ctwr-member-directory` - - `MidtownRadioApp`, `WRVotesFed2025`, `WRVotesProv2025`, `project-pech`, `blog` - - `go-train-group-pass`, `project-union-coop`, `WRVotesPlaceholder`, `WRvotesMunicipal2018` - - `CTWR-Template`, `accessible-housing-portal` (partial — 1 review required, no enforce_admins) - - _Open a tracking issue linking to `docs/governance/codeowners-branch-protection.md`_ + - _Most active repos still have no branch protection_ + - _Open tracking issue linking to `docs/governance/codeowners-branch-protection.md`_ - _Invite opt-in; revisit enforcement next quarter_ - [ ] **11. Review ChatGPT Codex Connector scope** — Settings → GitHub Apps → Codex Connector - - _Currently `repository_selection: all`_ - - _Identify repos actively used with Codex and restrict to those_ + - _Currently `repository_selection: all` — acting as PR reviewer org-wide_ + - _Table for Saturday: confirm which projects want automated Codex reviews_ + +--- + +## Still Needs Leads Teams + +These projects have contributor teams but no leads team yet. Identify leads and create: + +| Project | Contributor team | Leads team needed | +|---------|-----------------|-------------------| +| Midtown Radio | `midtown-radio-app` | `midtown-radio-leads` | +| Connected KW | `connected-kw` | `connected-kw-leads` | +| Website | `website` | `website-leads` (team depleted — review membership first) | +| ZoneChanges | `zonechanges` | `zonechanges-leads` (small team, low priority) | --- ## Low / Optional - [ ] **12. Enable `delete_branch_on_merge` org-wide** _(optional)_ - - _Not a security risk — cleanliness only. Merged branches accumulate in the branch list._ - - _Can enable in repo settings or org default_ -- ❌ **13. Rename `master` → `main`** — Deferred. New repos already use `main`. Legacy repos not worth the disruption. +- ❌ **13. Rename `master` → `main`** — Deferred. -- ❌ **14. Restrict `members_can_create_teams`** — Left as-is. Risk is low (teams need admin to get repo access). Restricting would prevent organizers from creating teams. +- ❌ **14. Restrict `members_can_create_teams`** — Left as-is. + +--- + +## Pending Invites (as of 2026-06-04) + +| User | Invited by | Queued teams | +|------|-----------|--------------| +| `aleeeeeeeena` | BreakableHoodie | `project-union-coop` (push) | +| `sae-br` | BreakableHoodie | `accessible-housing-portal` (push) | +| `indyng` | BreakableHoodie | `project-pech-leads` (maintain), `epwr-case-management-leads` (maintain) | --- @@ -112,17 +148,11 @@ Draft at `/tmp/ctwr-slack-announcement.md`. Post to `#general` before enabling 2 ## Verification Commands ```bash -# Check 2FA status gh api orgs/CivicTechWR --jq '.two_factor_requirement_enabled' - -# Confirm Travis CI is gone gh api orgs/CivicTechWR/installations --jq '[.installations[].app_slug]' - -# Check Actions policy -gh api orgs/CivicTechWR/actions/permissions --jq '.' - -# List remaining outside collaborators +gh api orgs/CivicTechWR/actions/permissions --jq '.allowed_actions' gh api orgs/CivicTechWR/outside_collaborators --paginate --jq '.[].login' +gh api orgs/CivicTechWR/invitations --paginate --jq '.[].login' ``` ---