Dealing with workflow execution restriction following enforcement of more stringent security rules

[fcollonval]

Description

Follow-up of #251 (comment)

I looked at how best handle the current situation that prevents the update job to be executed on non-member PRs. It looks like the easiest would be to create a team with Read access (aka nothing more than what you can do on public repo) in which we invite trusted contributor as outside collaborator.
For example I invited a GSoC contributor for test purpose (should be dropped at the end of this meeting if the approach is deemed wrong):
image
Then on jupyterlab/jupyterlab#16438 (comment), the first update snapshot comment failed (she was not yet a collaborator). The second passed (she accepted the invitation).

[jtpio]

Some questions:

• what are the criteria for someone to be added to that list as outside collaborator? Should this apply to one-of contributors, or should there be a minimum number of PRs merged before someone can be added to that list?
• should there then be a team of "regular contributors", for those who often contribute but are not part of the council?
• when should someone be removed from that list?

Overall the "Read" permission is probably fine and low risk. It's more about guidelines for JupyterLab maintainers for how to manage that list.

[fcollonval]

• what are the criteria for someone to be added to that list as outside collaborator? Should this apply to one-of contributors, or should there be a minimum number of PRs merged before someone can be added to that list?

What about as soon as they open a second PR? So we don't add one shot contributors.

• should there then be a team of "regular contributors", for those who often contribute but are not part of the council?

Definitely better to use a team as it is easier to manage and to audit for security.

• when should someone be removed from that list?

That one is always tricky. We could set up a job like we do for the council with a rule like every six months, list regular contributors who haven't contribute in the last six months. Then we could remove those.

[krassowski]

Ah, I just saw that it is not only that non-members cannot invoke the update, but it cannot be invoked even by members on non-member PRs. I think this needs to be changed.

For example see: jupyterlab/jupyterlab#16341 with https://github.com/jupyterlab/jupyterlab/actions/runs/10330748123/job/28600154607