You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
github-mgmt YAML files can be unwieldy in part because of archived repos (see Remove clutter resulting from archived repos #115). One of the reasons is that the archived repos still have access permissions listed.
Archived repos that have users/teams associated can be a security vulnerability. If a malicious (likely compromised) repo admin unarchives it, they could introduce bugs, vulnerabilities, etc.
Ideas
When archiving a repo, remove all direct repo permissions (members and teams). In order to unarchive, someone would need to unarchive and add permissions through github-mgmt. In addition to reducing clutter while in an archived state, this is good because it gives clear visibility to a significant repo event (e.g., unarchiving).
In addition to doing things like removing repo permissions, I could imagine to doing other actions like moving the repo to a separate YAML file as discussed in Remove clutter resulting from archived repos #115.
Even if one doesn't want this to be an automated step, this could be a one-off script/check that somebody runs. I assume a backfill operation of "remove permissions from archived repos" requires some sequencing though in that it would need to first be unarchived, have the permissions removed, and then be archived.
