Skip to content

fix: grant FilOzzy admin access for security reports#47

Merged
BigLep merged 1 commit into
masterfrom
phi/add-filozzy-security-admins
Jun 11, 2026
Merged

fix: grant FilOzzy admin access for security reports#47
BigLep merged 1 commit into
masterfrom
phi/add-filozzy-security-admins

Conversation

@rjan90

@rjan90 rjan90 commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Grant FilOzzy admin access on the FilOzone repos covered by the FOC security reporting policy.
  • Move FilOzzy from lower repository permissions to admin where it was already present.

Why

Private vulnerability report notifications are sent to repository administrators/security managers with the right notification settings. FilOzzy routes to the shared infra inbox, giving us a shared fallback notification path for reports.

Ref: FilOzone/tpm-utils#16 (comment)

@FilOzzy FilOzzy added this to FOC Jun 11, 2026
@github-project-automation github-project-automation Bot moved this to 📌 Triage in FOC Jun 11, 2026
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Before merge, verify that all the following plans are correct. After merge, Apply will regenerate the plans from the merged commit and continue only if they match.

Terraform plans

FilOzone 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # github_repository_collaborator.this["dealbot:filozzy"] must be replaced
-/+ resource "github_repository_collaborator" "this" {
      ~ id                          = "dealbot:FilOzzy" -> (known after apply)
      + invitation_id               = (known after apply)
      ~ permission                  = "push" -> "admin" # forces replacement
      + permission_diff_suppression = false
        # (2 unchanged attributes hidden)
    }

  # github_repository_collaborator.this["filecoin-pay:filozzy"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "filecoin-pay"
      + username                    = "FilOzzy"
    }

  # github_repository_collaborator.this["filecoin-services:filozzy"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "filecoin-services"
      + username                    = "FilOzzy"
    }

  # github_repository_collaborator.this["pdp:filozzy"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "pdp"
      + username                    = "FilOzzy"
    }

  # github_repository_collaborator.this["sessionkeyregistry:filozzy"] will be created
  + resource "github_repository_collaborator" "this" {
      + id                          = (known after apply)
      + invitation_id               = (known after apply)
      + permission                  = "admin"
      + permission_diff_suppression = false
      + repository                  = "SessionKeyRegistry"
      + username                    = "FilOzzy"
    }

  # github_repository_collaborator.this["synapse-sdk:filozzy"] must be replaced
-/+ resource "github_repository_collaborator" "this" {
      ~ id                          = "synapse-sdk:FilOzzy" -> (known after apply)
      + invitation_id               = (known after apply)
      ~ permission                  = "push" -> "admin" # forces replacement
      + permission_diff_suppression = false
        # (2 unchanged attributes hidden)
    }

Plan: 6 to add, 0 to change, 2 to destroy.

@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

The following access changes will be introduced as a result of applying the plan:

Access Changes 
User filozzy:
  - will have the permission to dealbot change from push to admin
  - will have the permission to synapse-sdk change from push to admin
  - will gain admin permission to filecoin-pay
  - will gain admin permission to filecoin-services
  - will gain admin permission to pdp
  - will gain admin permission to sessionkeyregistry

@rjan90 rjan90 added this to the M4.2: mainnet GA milestone Jun 11, 2026
@rjan90 rjan90 moved this from 📌 Triage to 🔎 Awaiting review in FOC Jun 11, 2026
@rjan90 rjan90 self-assigned this Jun 11, 2026
@rjan90 rjan90 requested a review from BigLep June 11, 2026 07:30
@rjan90 rjan90 marked this pull request as ready for review June 11, 2026 07:30
@rjan90 rjan90 mentioned this pull request Jun 11, 2026
Open
@github-project-automation github-project-automation Bot moved this from 🔎 Awaiting review to ✔️ Approved by reviewer in FOC Jun 11, 2026
@BigLep BigLep merged commit c87defe into master Jun 11, 2026
7 checks passed
@github-project-automation github-project-automation Bot moved this from ✔️ Approved by reviewer to 🎉 Done in FOC Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BigLep BigLep BigLep approved these changes

Assignees

@rjan90 rjan90

Labels

None yet

Projects

FOC
Status: 🎉 Done

Milestone

M4.2: mainnet GA

Development

Successfully merging this pull request may close these issues.

3 participants

@rjan90 @BigLep @FilOzzy