This is adapted from a doc written by David Launikitis that also discussed changes to GitHub permissions within the org.
Organization Permissions
Leadership
Officers and Head of Engineering should be assigned ‘admin’ permissions on the organization. Although this won’t be needed on a day-to-day basis, organization admins are able to modify anything on the
Other Members and Contributors
Other contributors should be invited to the GitHub organization with ‘read’ permissions. Alumni/inactive contributors can remain as org members as this only assigns read privileges to repos.
todo: only org admins have the permissions to do this and we need a way for project leads to add people to the github organization. David and I discussed creating a Discord bot to do this. We could also set up a small web server to handle webhook payloads from GitHub whenever a user gets added to a team and automatically invite them to the org
Project Repository Permissions
GitHub teams are used to manage permissions for projects.
Contributors should not be directly added to project repositories. Using teams exclusively to manage permissions makes it easier for us to see what levels of access a given person has. It also makes it easier to keep the permissions up to date as people stop contributing/join teams, or as new repos are added for a specific project.
Project Teams
<project name> Lead
<project name> Contributors
<project name> Maintainers
<project name> Reviewers
This team does not add any permissions to a given user. Members of this team are automatically assigned as reviewers via a repo’s CODEOWNER’s file (see the Code Reviews and Branch Protection section for more details)
todo: copy reviewer team settings from planner pr reviewer
The project lead should have admin privileges on all the teams, allowing a lead to assign members to their teams. This needs to be explicitly set on the parent project team and the child teams since an admin of a parent team doesn't automatically become an admin on child teams.