Declarative GitHub configuration tool

[zimbatm]

Is your feature request related to a problem? Please describe.

The GitHub permission model is not fine-grained enough. Only org owners can change settings everywhere. This means that the infra team either all get org owner and have the take over or delete the org (I'm thinking if their account gets hacked for example). Or they can't handle all of the requests that teams have.

Clicking around in the GitHub UI is also a bad thing. There are too many opportunities to mess things up by mistake. And the changes are not visible to everybody so it can take a while to know what changed.

Describe the solution you'd like

I would like us to deploy a tool that can run and apply configuration declared in a public repo.

It could be as simple as a bunch of Terraform code using the GitHub provider, and executed by GitHub Actions.

Or we deploy something like https://github.com/uwu-tools/peribolos

Describe alternatives you've considered

Giving all the admins org owner, with the caveat listed above.

Additional context

This has been a recurring issue. See for example:

• https://discourse.nixos.org/t/policy-change-pushing-to-protected-branches-is-now-blocked/31719/22?u=zimbatm
• nix.dev: enable branch protection on master #303

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/policy-change-pushing-to-protected-branches-is-now-blocked/31719/23

[zimbatm]

POC: #360