Outside collaborators should be override-able at the repo-level

[pburkholder]

I understand the reasoning behind https://github.com/ossf/allstar/blob/main/pkg/policies/outside/outside.go#L70-L71

// Exemptions are only defined at the org level because they should be made
// obvious to org security managers.

But this makes AllStar hard to scale for organizations that loosely federated, and it's not possible for each product team to necessarily have their own GitHub organization. And I think the needs for org security managers might be better met by #524 which would provide some reporting about where/how overrides are occurring.

I hope next time I can open PRs instead of tickets, but trying to capture some friction points while I can.

[jeffmendoza]

but trying to capture some friction points while I can.

very much appreciated!

[pburkholder]

The ability to override pushAllowed at the repo level, but not the exempted users, is also a little confounding.

That is, I couldn't get this to work at the org-level:

exemptions:
  - user: Chris-Laurer
    repo: federal-platform-engineering-cop
    push: true
    admin: false
  - user: brianrandallfox
    repo: federal-platform-engineering-cop
    push: true
    admin: false

But I could go ahead with this is at the repo level

pushAllowed: true