Support a diverse set of owners while limiting blast radius #126
Description
Problem
Github orgs with a diverse set of projects and stakeholders (e.g., filecoin-project) have inherent risks by using github-mgmt/github-as-code. They ideally want a diverse-enough set of representatives with push access to filecoin-project/github-mgmt, but anyone who has push access can effectively make large permissions changes on projects that are unrelated to their own. It would be ideal for example if lotus maintainers could approve permissions changes to their repos or teams but not to other groups' repos and teams.
Ideas
- If instead of having one large .yaml file there were multiple YAML files (one per repo or team), codeowners could be used and branch protection to require PR approval from a codeowner.
- If gihtub-mgmt CI checks were intelligent to identify which resource or repo was modified, they could wait to pass until someone with write access to that repo or team approved the PR.