Add core members to heroku and anaconda

[isuruf]

Guidelines for marking packages as broken:

• We prefer to patch the repo data (see here)
  instead of marking packages as broken. This alternative workflow makes environments more reproducible.
• Packages with requirements/metadata that are too strict but otherwise work are
  not technically broken and should not be marked as such.
• Packages with missing metadata can be marked as broken on a temporary basis
  but should be patched in the repo data and be marked unbroken later.
• In some cases where the number of users of a package is small or it is used by
  the maintainers only, we can allow packages to be marked broken more liberally.
• We (conda-forge/core) try to make a decision on these requests within 24 hours.

What will happen when a package is marked broken?

• Our bots will add the broken label to the package. The main label will remain on the package and this is normal.
• Our bots will rebuild our repodata patches to remove this package from the repodata.
• In a few hours after the anaconda.org CDN picks up the new patches, you will no longer be able to install the package from the main channel.

Checklist:

• I want to mark a package as broken (or not broken):

  • Added a description of the problem with the package in the PR description.
  • Pinged the team for the package for their input.

• I want to archive a feedstock:

  • Pinged the team for that feedstock for their input.
  • Make sure you have opened an issue on the feedstock explaining why it was archived.
  • Linked that issue in this PR description.
  • Added links to any other relevant issues/PRs in the PR description.

• I want to request (or revoke) access to an opt-in CI resource:

  • Pinged the relevant feedstock team(s)
  • Added a small description explaining why access is needed

[isuruf]

@conda-forge/core, thoughts on this? I might add other things like quay.io, dockerhub etc if this is okay. There might be security implications I haven't thought about.

[beckermr]

Definitely a good idea. I'd be happier if we moved this to a private a repo so we don't accidentally merge a random PR without thinking. We could use one of the ones we already have.

[jakirkham]

Thanks Isuru! 🙏

Agree this is a good idea

Matt's point also sounds reasonable

[jakirkham]

Thinking about this more. Would it make sense to add this info to core.csv and leverage that to update access?

[beckermr]

I don't follow that last comment @jakirkham. However I am ok with the checks just added by @isuruf.

We should add one more check that the only files modified are adding the yaml and then I'd be ok merging. This way we'll have a backup if someone attempts to modify the scripts to remove the check for core members.

[jakirkham]

Meaning that we would include our DockerHub, Quay, and Heroku handles in core.csv file and adding them there would have the effect of adding access to the different services

[jaimergp]

Suggested change

	res = requests.get(url)
	res = requests.get(url)

Suggested change

	res = requests.get(url)
	res = requests.get(url)
	res.raise_for_status()

[jaimergp]

This can be .text, I think?

Suggested change

	data = csv.reader(res.content.decode("utf-8").splitlines(), delimiter=',')
	data = csv.reader(res.text.splitlines(), delimiter=',')

[jaimergp]

Should we run check() as part of run() too?

[isuruf]

Going to use this in a private repo. See #906
Thanks everyone for the feedback.