Merge pull request #1728 from Kobzol/remove-admin

marcoieni · web-flow · commit a5854b91e1d3 · 2025-03-27T16:22:48.000Z
Forbid admin permissions
diff --git a/repos/rust-lang/crates.io-index-archive.toml b/repos/rust-lang/crates.io-index-archive.toml
@@ -4,7 +4,7 @@ description = "Archive of the crates.io-index commit history after squashes"
 bots = []
 
 [access.teams]
-crates-io = "admin"
+crates-io = "maintain"
 
 [[branch-protections]]
 pattern = "snapshot-*"
diff --git a/repos/rust-lang/sync-team.toml b/repos/rust-lang/sync-team.toml
@@ -5,7 +5,7 @@ bots = []
 
 [access.teams]
 infra = "write"
-infra-admins = "admin"
+infra-admins = "maintain"
 
 [[branch-protections]]
 pattern = "master"
diff --git a/repos/rust-lang/www.rust-lang.org.toml b/repos/rust-lang/www.rust-lang.org.toml
@@ -5,8 +5,8 @@ homepage = "https://www.rust-lang.org"
 bots = ["rustbot"]
 
 [access.teams]
-# Admin is needed for integrating with external services, e.g. Pontoon
-website = "admin"
+# Maintain is needed for integrating with external services, e.g. Pontoon
+website = "maintain"
 
 [[branch-protections]]
 pattern = "master"
diff --git a/src/validate.rs b/src/validate.rs
@@ -1,6 +1,8 @@
 use crate::data::Data;
 use crate::github::GitHubApi;
-use crate::schema::{Bot, Email, MergeBot, Permissions, Team, TeamKind, TeamPeople, ZulipMember};
+use crate::schema::{
+    Bot, Email, MergeBot, Permissions, RepoPermission, Team, TeamKind, TeamPeople, ZulipMember,
+};
 use crate::zulip::ZulipApi;
 use anyhow::{bail, Error};
 use log::{error, warn};
@@ -51,6 +53,7 @@ static CHECKS: &[Check<fn(&Data, &mut Vec<String>)>] = checks![
     validate_repos,
     validate_branch_protections,
     validate_member_roles,
+    validate_admin_access,
     validate_website,
 ];
 
@@ -1024,6 +1027,40 @@ fn validate_member_roles(data: &Data, errors: &mut Vec<String>) {
     );
 }
 
+/// Validate that admin access is not used anywhere
+fn validate_admin_access(data: &Data, errors: &mut Vec<String>) {
+    wrapper(data.all_repos(), errors, |repo, errors| {
+        wrapper(repo.access.teams.iter(), errors, |(team, permission), _| {
+            if let RepoPermission::Admin = permission {
+                bail!(
+                    "Repository {}/{} uses `admin` permission for team `{team}`",
+                    repo.org,
+                    repo.name
+                );
+            } else {
+                Ok(())
+            }
+        });
+        wrapper(
+            repo.access.individuals.iter(),
+            errors,
+            |(member, permission), _| {
+                if let RepoPermission::Admin = permission {
+                    bail!(
+                        "Repository {}/{} uses `admin` permission for member `{member}`",
+                        repo.org,
+                        repo.name
+                    );
+                } else {
+                    Ok(())
+                }
+            },
+        );
+
+        Ok(())
+    });
+}
+
 /// We use Fluent ids which are lowercase alphanumeric with hyphens.
 fn ascii_kebab_case(s: &str) -> bool {
     s.chars()
diff --git a/tests/static-api/_expected/v1/repos.json b/tests/static-api/_expected/v1/repos.json
@@ -9,7 +9,7 @@
       "teams": [
         {
           "name": "foo",
-          "permission": "admin"
+          "permission": "maintain"
         }
       ],
       "members": [],
@@ -42,7 +42,7 @@
       "teams": [
         {
           "name": "foo",
-          "permission": "admin"
+          "permission": "maintain"
         }
       ],
       "members": [],
diff --git a/tests/static-api/_expected/v1/repos/archived_repo.json b/tests/static-api/_expected/v1/repos/archived_repo.json
@@ -7,7 +7,7 @@
   "teams": [
     {
       "name": "foo",
-      "permission": "admin"
+      "permission": "maintain"
     }
   ],
   "members": [],
diff --git a/tests/static-api/_expected/v1/repos/some_repo.json b/tests/static-api/_expected/v1/repos/some_repo.json
@@ -7,7 +7,7 @@
   "teams": [
     {
       "name": "foo",
-      "permission": "admin"
+      "permission": "maintain"
     }
   ],
   "members": [],
diff --git a/tests/static-api/repos/archive/test-org/archived_repo.toml b/tests/static-api/repos/archive/test-org/archived_repo.toml
@@ -4,7 +4,7 @@ description = "An archived repo!"
 bots = []
 
 [access.teams]
-foo = "admin"
+foo = "maintain"
 
 [[branch-protections]]
 pattern = "master"
diff --git a/tests/static-api/repos/test-org/some_repo.toml b/tests/static-api/repos/test-org/some_repo.toml
@@ -4,7 +4,7 @@ description = "A repo!"
 bots = []
 
 [access.teams]
-foo = "admin"
+foo = "maintain"
 
 [[branch-protections]]
 pattern = "master"

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"teams": [`
`10`	`10`	`{`
`11`	`11`	`"name": "foo",`
`12`		`- "permission": "admin"`
	`12`	`+ "permission": "maintain"`
`13`	`13`	`}`
`14`	`14`	`],`
`15`	`15`	`"members": [],`
`@@ -42,7 +42,7 @@`
`42`	`42`	`"teams": [`
`43`	`43`	`{`
`44`	`44`	`"name": "foo",`
`45`		`- "permission": "admin"`
	`45`	`+ "permission": "maintain"`
`46`	`46`	`}`
`47`	`47`	`],`
`48`	`48`	`"members": [],`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"teams": [`
`8`	`8`	`{`
`9`	`9`	`"name": "foo",`
`10`		`- "permission": "admin"`
	`10`	`+ "permission": "maintain"`
`11`	`11`	`}`
`12`	`12`	`],`
`13`	`13`	`"members": [],`