Synchronize team membership / permissions

This actions reads in a teams.yaml file which specifies team membership and permission. It then synchronizes that with GitHub, making changes as necessary.

Note that it only touches teams that are specified in the teams.yaml. In other words, if a team is deleted from the YAML file, the synchronization script won't do anything about it (it has no knowledge of history).

Using the action

In the repository that contains your teams.yaml, add .github/workflows/sync-teams.yaml:

name: Teams
on:
  push:
    branches:
      - main

jobs:
  sync_teams:
    name: Sync
    runs-on: ubuntu-latest
    steps:
      - name: Checkout teams list
        uses: actions/checkout@v3
        with:
          ref: main

      - uses: scientific-python/sync-teams-action@main
        with:
          token: ${{ secrets.SYNC_TEAMS_TOKEN }}

You will also need to set SYNC_TEAMS_TOKEN as a repository secret. See the token section below.

`teams.yaml` format

- name: SPEC Steering Committee
  description:
  members:
    - stefanv
    ...
  permissions:
    - repo: specs
      role: maintain

- name: Community Managers
  description: Scientific Python Community Managers
  members:
    - stefanv
    ...
  permissions:
    - repo: specs
      role: triage

Valid roles are:

read: Recommended for non-code contributors who want to view or discuss your project.
triage: Recommended for contributors who need to proactively manage issues, discussions, and pull requests without write access.
write: Recommended for contributors who actively push to your project.
maintain: Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
admin: Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository.

Action output

After the action is run, you will see its output in the workflow summary.

Child teams permissions

Setting repo permissions for child teams is not supported.

Token

The script requires a classic token with repo and admin:org permissions, exported as a GH_TOKEN environment variable.

A token can be created at:

https://github.com/settings/tokens/new

Initial creation of `teams.yaml`

Existing team membership can be downloaded from GitHub using:

sync-teams-to-gh.py --download > teams.yaml

Revoking team access from repo

Set role to None:

  permissions:
    - repo: myrepo
      role:

Name		Name	Last commit message	Last commit date
Latest commit History 39 Commits
.github		.github
.git-blame-ignore-revs		.git-blame-ignore-revs
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
LICENSE		LICENSE
README.md		README.md
action.yaml		action.yaml
sync-teams-to-gh.py		sync-teams-to-gh.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Synchronize team membership / permissions

Using the action

`teams.yaml` format

Action output

Child teams permissions

Token

Initial creation of `teams.yaml`

Revoking team access from repo

About

Uh oh!

Uh oh!

Contributors 6

Uh oh!

Languages

License

scientific-python/sync-teams-action

Folders and files

Latest commit

History

Repository files navigation

Synchronize team membership / permissions

Using the action

teams.yaml format

Action output

Child teams permissions

Token

Initial creation of teams.yaml

Revoking team access from repo

About

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Uh oh!

Contributors 6

Uh oh!

Languages

`teams.yaml` format

Initial creation of `teams.yaml`