Policy based actions for PAAC

# Policy based actions for PAAC ## Goal Let PAAC actions and access be driven by groups of people as defined on the Git Platforms (ie: Github teams) instead of all or nothing ## Description PAAC currently let anyone runs a pipelinerun as long they are on the Github organisation or a contributor of the repo where the pull request run. It allows the users issuing a /ok-to-test or /retest to let non contributor to run the tests. ## Problem on a large organisation, not everyone can be trusted for every repositories to let run a CI or let someone else running the CI. Managing the groups of allowed users is easier to do on the Github interface. ## Proposal Add new fields policy under settings in the Repository CR: ```yaml! spec: settings: policy: ``` with different actions bind to a list of groups, actions are: * `run-ci-pull-request`: only this group of users can run the CI on pull request. * `run-ci-pull-push`: only this group of users can run the CI on push. * `ok-to-test`: only this group of users can run the ok-to-test command. * `remote-fetch`: only this group of users can remotely fetch from annotations on PipelineRun using paac annotations. * `provenance-from-commit`: the pipelienrun definition is allowed to be fetched the commit a complete example would be: ```yaml! apiVersion: "pipelinesascode.tekton.dev/v1alpha1" kind: Repository metadata: name: example namespace: ns spec: url: "https://gitlab.com/org/repo" settings: policy: ok-to-test: - Admin - OkToTest provenance-from-commit: - Admin ``` In this example users who are in the `Admin` or `OkToTest` groups can run `/ok-to-test` and `/retest` the users sending a Pull Request are in the `Admin` group the CI will be run on the pull request and the definition will be taken from the commit. the defaults behaviour for actions are as documented on paac.. ## Implementation ## Github teams can be listed on Github with a Github App token on the Org with this api call https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28, example: ``` % export GH_TOKEN=$GITHUB_APPS_TOKEN % gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/openshift-pipelines/teams/pipeline-as-code/members -q '.[].login' vdemeester chmouel concaf savitaashture piyush-garg ``` ## Further improvement - We may allow groups negation, ie: to express something like this: - every users in the `Admin` group is allowed to run this action unless if they are part of the `Negligent` group. - We may make this feature global instead of just per Repo. - We may want to find a way to disable actions (altho only allowing a unknown group for the action would do the job)