ci: add workflow for team sync

[BethGriggs]

Triggers a sync when a TEAMS yml file is updated.

---

Note that this would rely on GITHUB_TOKEN: ${{ secrets.GH_TEAM_SYNC_TOKEN }} being created with appropriate permission to manage teams. I couldn't find a token/app used elsewhere with these permissions - but, it might be good to have a fine-grained scope for this token anyway?

[Rugvip]

Assuming the script works as expected, workflow looks good! 👍

[BethGriggs]

Any updates on the token needed for this? 🙏🏻

[Rugvip]

@BethGriggs did you verify that the current credentials don't work? I had a look at the token scopes and as far as I could find it's a classic token with org:write scope, which I think should be enough. Should we ship this and see if it works? 🤞

[BethGriggs]

Sorry, I am not sure I am following the last comment. Is the implication that secrets.GH_TEAM_SYNC_TOKEN already exists with the correct scope or is there another existing token I should use in the workflow (maybe secrets.GITHUB_TOKEN)?

Either way, the workflow is pretty minimal is it should good to ship, I think we just need to know which named secret it should use.

[Rugvip]

Ah yes ofc, was assuming that this was using the existing secret for some reason but a separate one is better for sure. GH_TEAM_SYNC_TOKEN now exists in this repo with a more narrow scope.

[Rugvip]

Ah, realized this very much won't work though since the service account doesn't have access to add and remove team members. Thinking we might need to use an app for this instead? 🤔 Not to happy having an org owner token in there either

[BethGriggs]

Hmm, do you know if that involve refactoring the script to use an app, as described in the GitHub docs - Authenticating as a GitHub app?

[Rugvip]

Yep, as far as I can tell. I've created an app and installed it and added the following secrets to this repo with corresponding values:

• BACKSTAGE_ORG_MANAGER_APPLICATION_ID
• BACKSTAGE_ORG_MANAGER_INSTALLATION_ID
• BACKSTAGE_ORG_MANAGER_PRIVATE_KEY

Here's another place where we set up auth in workflows using app credentials: https://github.com/backstage/actions/blob/b3c1841fd69e1658ac631afafd0fb140a2309024/lib/createAppClient.ts#L3

[awanlin]

Hi @BethGriggs, will you be able to pick this up or do you want us to find someone else to keep it moving forward?

[vinzscam]

I'm taking this forward as this could help us a lot

[BethGriggs]

Hey, sorry for going quiet while changing companies.

I happened to just learn about https://github.com/cncf/people?tab=readme-ov-file#configyaml-configures-cncf-org-repository-access, which looks like a more feature complete way of managing both groups and repository access as YAML. Just dropping a note in case using something already in use by CNCF makes more sense 💡 .