# Github policy draft proposal v1 After reviewing Github features & permissions I propose we adopt the following policy for managing the `Cosmoscontracts` Github's Organization (Org) and its Repositories (Repos). - **Transparency & Collaboration**: 1. [ ] Juno Development Department (Dev Dep) maintains a public & versioned `Github Settings` document containing this policy, a list of all Org members, Repo members & external collaborators, as well as roles, permissions and rules for each Repo. 2. [ ] Any Juno stakeholder is invited to collaborate by posting issues, commenting in discussions, suggesting pull requests, or responding to RFPs, after reading this document. 3. [ ] Dev Dep maintains a list of priorities and directs available resources accordingly. 4. [ ] each Dev Dep member can get `Read` access on all (private) Repos. - **Security**: - [ ] **Authentication**: - [ ] Two-Factor-Authentication (2FA) is required at Org level; - [ ] commit signoffs are required on all `critical` repos. - [ ] **Vulnerability reporting & prevention**: - [ ] every member or external collaborator must obey security policies of upstream code Repos & maintainers unless they conflict with Juno network's security or this policy; - [ ] Dev Dep should incentivize vulnerability reporting and work to harmonize security policies & define best practices across ecosystem partners; - [ ] #TBD implement SBOM practices where applicable ([read more](https://blog.sonatype.com/what-are-sbom-standards-and-formats)). - [ ] **Critical Repos & Infrastructure**: - [ ] Dev Dep maintains the list of Repos & Infrastructure deemed `critical` for security reasons or the technical existence & correct functioning of Juno; - [ ] whenever `critical` infrastructure's maintenance, control or ownership is not defined on-chain, Dev Dep must identify its maintainers, controllers or owners; - [ ] Dev Dep defines appropriate Github's Rulesets, Moderation options, and Code analysis tools to protect the `critical` code, or appoints `critical` repo maintainers to do so; - [ ] `critical` repos must have private vulnerability reporting enabled; - [ ] `critical` repos must have at least 3 people among `CODEOWNERS`, Code reviewers, or Maintainers, each with a signed Service Level Agreement (SLA); - **Maintenance**: - [ ] **Ownership & Accountability**: - [ ] every asset included in a Repo under the Org is owned by Juno Commonwealth, unless differently specified in the containing folder's `LICENSE` file; - [ ] Dev Dep defines the list of acceptable licenses, the default one, and requires explicit approval for licensing changes and exceptions; - [ ] at least 3 Org owners are required and are responsible for applying this policy; - [ ] at least 2 Org owners must be Juno Development Department members; - [ ] at least 1 Org owner must be a Juno Operations Department member; - [ ] Org membership and external collaborators must be approved by Dev Dep. - [ ] **Documentation & Moderation**: - [ ] Dev Dep ensures every Repo has appropriate documentation; - [ ] Dev Dep can define Github Moderation options for each Repo or appoint an additional Repo member with `Triage` role; - [ ] every Repo can specify additional policies in its main folder's `SECURITY.md`, `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` files, as long as they are approved by Dev Dep and don't override this policy. - [ ] **Compensation & Transitions**: - [ ] require Org owners to have vesting interest in Juno; - [ ] require Org owners to have vesting contracts managed by Juno x/gov or Council's governance proposals to ensure long-term interest alignment; - [ ] Dev Dep must regularly review & notify the status of Repos, archive or delete unmaintained Repos and retire their external collaborators; - [ ] Dev Dep identifies any `critical` dependency on physical infrastructure which is not controlled by active Juno Validators or subject to SLAs and finds temporary substitutions while defining a long-term solution; - [ ] every compensation for the development or maintenance of assets under the Github Org or that depends on contributions to its Repos must be approved by the Dev Dep or Juno Commonwealth; - [ ] every Council budget must include proper resources to cover agreements with Org owners & `critical` Repos & Infrastructure's maintainers and their eventual transition periods. ## Transition proposal ### Current Members |#|Current member| Current Role| Action/New role | Reasoning | Note / next step| |-| -------- | -------- | -------- | -------- |-------- | 1|blockcreators|Owner|Remove from Org| No activity| 2|dimiandre|Owner|Keep as Owner| Active, Ops Dep, vesting| 3|JakeHartnell|Owner|Keep as Owner| Active, Dev Dep, vesting| 4|blockpane|Member|Remove from Org| No activity| 5|giansalex|Member|Remove from Org| No activity on Juno, COI| Contact for potential collab. as ext. member 6|Highlander-maker|Member|Keep as Member| Active, Comms Dep & Council Rep| 7|jackzampolin|Member|Remove from Org| No activity on Juno, COI| 8|joeabbey|Member|Remove from Org| No activity on Juno| Contact for potential collab. as ext. member 9|kopeboy|Member|Keep as member| Dev Dep, active| 10|nullmames|Member|Remove from Org| No activity on Juno|Contact for potential collab. as ext. member 11|orkunkl|Member|Reinstate as ext. collab. | Active on ecosystem, interested on Juno | Define potential collab. as ext. member 12|poroburu|Member|Keep as member | Dev Dep, active | 13|the-frey|Owner|Remove from Org | No activity on Juno | Contact for potential collab. as ext. member 14|toschdev|Member|Remove from Org | No activity on Juno | Contact for potential collab. as ext. member 15|vuong177|Member|Remove from Org | No activity on Juno | Contact for potential collab. as ext. member 16|Wolfcontract|Owner|Remove from Org | No activity | 17|zmanian|Member|Remove from Org | No activity on Juno | Contact for potential collab. as ext. member ### New members TBD, eg. should we add Ray & andreGo (Dev Dep members)? ## Github Settings example ### Organization | Member | Role | Note | | -------- | -------- | -------- | | Jake|`Owner`| Has Core-1 genesis vesting| | Dimi|`Owner`| Has Core-1 genesis vesting| | Member 1|`Owner`| To Be Defined| | Member 2|`Member`| To Be Removed| | Member 3|`Member`| To Be Decided| | Member 4|`Member`| To Be Added| | Member 5|`Member`| Can Be Added| #### Allowed Licenses #TBRev: `Apache License 2.0` (default), `CC BY-SA 4.0`, `CC BY 4.0`, `CC0 1.0`. #### Organization settings #TBRev: - **Base permissions** = 📖 `Read`: the minimum permissions (role) granted to all members that will be added to repos - **Public Repo creation** = ✅ `ON`: allow any Org member to create public repos (non-org collaborators can never create repos) - **Private Repo creation** = ❌ `OFF`: NOT allow any Org member to create private repos (can't be enabled without also enabling the public repo creation permission above) - **Private Repo forking** = ❌ `OFF`: forking is only allowed on public repositories (can be changed per repo) - **Repository discussion** = ✅ `ON`: allow Repo **readers** to create discussions - **Projects base permissions** = 🚫 `No Access`: any Org member can see only public projects (more perms can be given as part of a team or as collaborator) - **Public Pages creation** = ❌ `OFF`: NOT all members can publish a website from the Repo's code (even if private) - **Integration access requests** = ❌ `OFF`: allow non-members collaborators to request access to Org & its resources through OAuth - **Repository visibility change** = ❌ `OFF`: only Org owners can change repos' visibility - **Repository deletion and transfer** = ❌ `OFF`: only Org onwers can delete or transfer repos - **Team creation** = ✅ `ON`: allow any member of the Org to create new teams - **Private vulnerability reporting** = ✅ `Automatically enable`: allow the community to privately report potential security vulnerabilities to maintainers and repository owners ### Critical Repos & Infrastructure | Repo | Triage | Write | Maintain | Code owners | Moderation| Rulesets| | ------- | ------- | ------- | ------- | ------- | ------ | ------ | | `juno`|Member 1, Member 2|Member 3, Member 4|Member 5|Member 6, Member 7, Member 8| <ul><li>❌ No interaction limit</li><li>✅ Limit code reviews</li></ul>| Main branch (no bypass): <ul><li>✅ Require signed commits</li><li>✅ Block force pushes</li></ul>| - [ ] `mainnet`: #TBD - [ ] `testnets`: #TBD - [ ] `docs`: #TBD (currently under junonetwork.io domain and not on Github) - [ ] `junonetwork.io` domain: #TODO identify maintainers - [ ] `junonetwork.io` hosting: #TODO identify maintainers - [ ] `junonetwork.io` codebase: #TODO migrate on Github ### Other Repos #TODO define status & rationalize - `tokenfactory-contracts`: - `tokenfactory-ui`: - `multisig-scripts`: - `juno-ts`: - `...`