By bringing opentofu into the CI pipelines, we will be able to manage various repository settings via configuration files that live in the repository. This allows changes to these settings to be referenced, reviewed, and discussed just like code.

Motivation:

Codify github repository configuration (e.g. contributors, branches, webhooks, pipeline settings) in a way that can be peer reviewed, and changes can be applied by a pipeline. This reduces the burden of ownership and increases transparency.

General design plan:

• Authentication to github's api will be provided with the automatic GITHUB_TOKEN variable that is set on a per-workflow basis
• Permissions for the token can be managed with the permissions key on the relevant workflow configuration file(s), both at the global (root) level and individually for a given job.
• State will be stored in GitHub's cache, but will be either fully or partially encrypted using an encryption key stored as a repository secret, making the value inaccessible to anyone (this is a write-only action). This encryption key could be generated with age, but the private key should be backed up securely for posterity and to avoid the bus factor.

sudoforge added label kind/feature 8 months ago

sudoforge added label priority/important-soon 8 months ago

sudoforge added label triage/accepted 8 months ago

sudoforge added label area/meta/workflow 8 months ago

sudoforge added label lifecycle/active 8 months ago

sudoforge removed label priority/important-soon 8 months ago

sudoforge added label priority/backlog 8 months ago

sudoforge removed label lifecycle/active 8 months ago