Document the accounts that the Executable Books project uses, and share access with team members

[choldgraf]

There are a few accounts that are generic to the Executable Books project. In some cases these are controlled by a single person, in some cases we have a generic EBP username, etc. We should share access and control of these accounts, and make them person-agnostic as much as possible so that we don't create bottlenecks and low bus factors.

While we do not want to casually give out access to services that can potentially do destructive actions, we should generally follow a practice of de-bottlenecking and increasing our bus factor for critical actions like publishing. For individuals that wish to have access, and are already trusted members of the team, we should just give it out.

We should document the services that have restricted access, who has access to it, and share access with other team members that want it.

Our goal is to have at least two team members with admin access to every account here.

Organization and administration

• [email protected] (@chrisjsewell, see: Who has the password for `[email protected]`? meta#412)
• The executablebooks.org and myst.tools domain names (@choldgraf)
• The Google Drive folder (@mmcky owner, all team members have edit access)
  • @mmcky is the owner of the Google Drive folder, but this should be a generic folder instead.
• Admin access for the EBP Slack (@mmcky (owner), @choldgraf)
• Admin access for the EBP calendar (https://calendar.google.com/calendar/embed?src=s425j1984fmcs7u4cdmdmpau9o%40group.calendar.google.com&ctz=America%2FLos_Angeles)

Google Groups

• executablebooks-conduct: Used for reporting Code of Conduct violations and requests. Anybody in the internet can send messages to this group, but it is only visible to group members. Currently, the group members are the Project PIs (myself, @gregcaporaso and @jstac )
• [executablebooks-team](https://groups.go ogle.com/g/executablebooks-team): Used for private communication between team members. This should only be used to discuss topics that must be private. Anybody can post to this group, but only group members can see posts. Currently this is everybody listed on the team page here as well as @gregcaporaso .

Development

• GitHub repository access I think is fine, because we are all added on the executablebooks org

Bot accounts

• ebp-bot shared access and documentation for publishing to PyPI & NPM #10
• The ebp-bot GitHub account (https://github.com/ebp-bot)

Access across many repositories

• ReadTheDocs access across our various repositories (several people, mostly @chrisjsewell and @choldgraf )
• Our PyPI accounts (mostly a combination of @chrisjsewell and @choldgraf )
• Our npm accounts (@chrisjsewell and @rowanc1)

Social media

• @executablebooks -> @choldgraf has manager access
• @myst_tools -> @mikemorrison has manager access

Web domains

• executablebooks.org -> NameCheap, @choldgraf has ownership + @rowanc1 has manager access
• jupyterbook.org -> NameCheap, @choldgraf has ownership
• myst-tools.org -> google domains, @rowanc1 and @choldgraf has access.

[choldgraf]

ping @rowanc1 who was asking about access to the npm repository I believe

[rowanc1]

Thanks! I think at the very least we should have a project-leader/admin on all npm packages (thebe, mystjs, markdown-it-..., unified-myst) that can help out with setting up new maintainers over time.

List of the npm repos:

• thebe
• thebe-core
• mystjs
• myst-spec
• myst-demo
• markdown-it-docutils
• markdown-it-amsmath
• markdown-it-dollarmath
• markdown-it-myst-extras
• @unified-myst (team account)

[choldgraf]

Yeah I agree, the process that we roughly tend to follow in JupyterHub is that:

• Critical functions (releases, access to accounts, etc) should have at least 2 active team members with credentials
• We give out credentials on an "as-asked for" basis
• If a team member who is on the maintainers team asks for credentials, they get them without question

I think the main point is that you assume that team members can be trusted, and that the risk of a team member doing something they shouldn't is smaller than the risk of having information silos and bottlenecks of permissions.

[rowanc1]

I have turned the above npm repos into a list, and followed the guidance above (at least two project members on each).

[stevejpurves]

@choldgraf I've added you as an admin to thebe-core on npm and github.
Regarding thebe, the only maintainer there on npm is @minrk I think

[minrk]

I added @choldgraf and @stevejpurves to thebe, LMK if there's anything else you need

[choldgraf]

Many thanks @minrk and @stevejpurves / @rowanc1 for doing a round of access-sharing. I just confirmed that a bunch of people have edit access to the EBP Google Drive folder as well.

I also noticed that we have the ebp-bot to centralize access for github and pypi. What do folks think about doing this for Read the Docs and NPM as well?

Here are some next actions for myself and @chrisjsewell:

@chrisjsewell

can you please:

• provide NPM admin access to at least @rowanc1 for all of the packages listed in Document the accounts that the Executable Books project uses, and share access with team members #3 (and any missing there)
• provide log-in credentials for the ebp-bot on PyPI (https://pypi.org/user/ebp-bot/) and GitHub (https://github.com/ebp-bot)

@choldgraf

I'll tackle these:

• Share domain name / slack / calendar credentials with @jstac
• Confirm the Google Drive has multiple people w/ access
• Once we have shared access to the ebp-bot:
  - [ ] Add the ebp-bot to have permissions on the PyPI projects
  - [ ] Add the ebp-bot to have permissions on the ReadTheDocs projects
  - [ ] If folks are +1 on doing this for Read the Docs and NPM, I can do Read the Docs (maybe @rowanc1 could do NPM?)

I've also decided to create two new places for conversation for the project. Both of them are Google Groups. I've set both groups to be post-able by anybody on the internet. I think groups will be easier to provide access to many people instead of using an individual email like [email protected]. Here's a summary of each group:

• executablebooks-conduct: Used for reporting Code of Conduct violations and requests. Anybody in the internet can send messages to this group, but it is only visible to group members. Currently, the group members are the Project PIs (myself, @gregcaporaso and @jstac ). It's important to have a Code of Conduct contact that makes it clear who monitors and responds to the address. And since we have not yet designated a Code of Conduct committee, I think this group should be the project PIs for now.
  • Ref issue about this: Define a Code of Conduct team and have a dedicated email for it #2
• executablebooks-team: Used for private communication between team members. This should only be used to discuss topics that must be private. Anybody can post to this group, but only group members can see posts. Currently this is everybody listed on the team page here as well as @gregcaporaso .

I'll open up a PR to document this once we figure out the access stuff for the bots etc above.

[rowanc1]

Thanks @chrisjsewell for adding the markdown-it- repos! I think the only ones left to add are the unified-myst (https://www.npmjs.com/search?q=unified-myst) team account. That is likely something that should be shared with @choldgraf as well as that is much easier to have team administration on.

[choldgraf]

Could we use ebp-bot for centralizing access?

It occurs to me that one approach we could take here is to use ebp-bot for as much as possible as the "minimal accounts with access" requirement for all of our accounts. Then as long as the steering council always has admin access to the ebp-bot, we do not need to do a huge update every time there is churn. For example, we could use ebp-bot as the primary pusher to PyPI and the main account on all ReadTheDocs sites.

Just writing this thought down so I don't lose it. Curious what others think.

[choldgraf]

Added domain access to top comment

I added the accounts for our various web domains to the top comment, since that's another shared resource that we use. I've noted that @rowanc1 has manager access to the namecheap account as well, so that he can set up the e-mail for our new google workspace account.