Auto add CICD label when PR author is a member or owner of flutter organization

[gmackall]

Fixes flutter/flutter#183618

[jtmcdole]

Are any of these valid:

COLLABORATOR, CONTRIBUTOR, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR, MANNEQUIN, MEMBER, NONE, OWNER

I'm not sure what COLLABORATOR vs CONTRIBUTOR

[gmackall]

I think we want MEMBER or OWNER only here, as that maps to the flutter hackers group, as I understand

[jtmcdole]

I can get some pull_request events so we can validate the collaborator field

[gmackall]

This is a slight behavior change, I made it this way because before the path for scheduling tests checked these conditions:
363e9cd#diff-4d5f5e21f5b7eda8e7775b9a678fb60bb6cfba3321799948fb2b9a55cefbe439L202-L206
And I figured it was also fine to apply those checks for the roller case. Let me know if not

[jtmcdole]

I checked the logs for the last 30 days matching the exact string:

protoPayload.line.logMessage =~ "\"author_association\":\"MEMBER\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"CONTRIBUTOR\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"OWNER\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"NONE\""

author	log count
CONTRIBUTOR	31,057
NONE	9,583
MEMBER	5,037
OWNER	0

I think we should limit this to just MEMBER. I'm assuming @Piinks can confirm that "MEMBER" is the correct 'person with write access'?

[gmackall]

I checked the logs for the last 30 days matching the exact string:

protoPayload.line.logMessage =~ "\"author_association\":\"MEMBER\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"CONTRIBUTOR\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"OWNER\""
# or
protoPayload.line.logMessage =~ "\"author_association\":\"NONE\""

author log count
CONTRIBUTOR 31,057
NONE 9,583
MEMBER 5,037
OWNER 0
I think we should limit this to just MEMBER. I'm assuming @Piinks can confirm that "MEMBER" is the correct 'person with write access'?

Yeah I figure if OWNER does matter it will matter for probably only 1 person. But I'm fine removing

[Piinks]

I am not sure that MEMBER == folks with write access. There are Flutter GitHub org members without write access

[Piinks]

Yeah, AFAICT, there are 426 people that are org members, and only 289 are flutter-hackers (our current equivalent to write access)

[gmackall]

Yeah, AFAICT, there are 426 people that are org members, and only 289 are flutter-hackers (our current equivalent to write access)

Hmm can all of those people add labels to issues? Or are labels restricted by write access?

[jtmcdole]

Ok, if that's the case, then we still need to build the "members with write access" list that I talked about before.

[Piinks]

Hmm can all of those people add labels to issues? Or are labels restricted by write access?

Currently, only folks with write access can apply labels. 'Triage' access also allows people to apply labels, but we do not use the triage role currently.

[gmackall]

When you say our "current equivalent to write access", that is mechanically enforced? I.e. there are members of https://github.com/orgs/flutter/people?query=role%3Aowner, which, if they tried, could not add labels?

I'm sort of confused how write access is conferred, is it somehow synched with an external list, or is it tied to a github property we can query?

[Piinks]

It is enforced by Github, not anything bespoke. Owners can apply labels. We don't assign roles individually, we manage them through Github teams. Owner is a special case, it is separate from the read|triage|write|maintain|admin roles Github provides for permissions management.

https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#permissions-for-each-role

I'm sort of confused how write access is conferred, is it somehow synched with an external list, or is it tied to a github property we can query?

We manage the 'write' role through the flutter-hackers Github team, which I think should be something that can be queried?

[gmackall]

It is enforced by Github, not anything bespoke. Owners can apply labels. We don't assign roles individually, we manage them through Github teams. Owner is a special case, it is separate from the read|triage|write|maintain|admin roles Github provides for permissions management.

https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#permissions-for-each-role

I'm sort of confused how write access is conferred, is it somehow synched with an external list, or is it tied to a github property we can query?

We manage the 'write' role through the flutter-hackers Github team, which I think should be something that can be queried?

It looks like we currently have logic already doing this for determining if the pr is actually approved

https://github.com/flutter/cocoon/blob/fa4caccb12b57bf8df8885ea2f7959a4431730d5/auto_submit/lib/validations/approval.dart#L49C57-L53

I will just use that logic here instead of the current author association check i have

[gmackall]

I copied this from

cocoon/auto_submit/lib/service/github_service.dart

Line 340 in fa4cacc

Future<bool> isTeamMember(String team, String user, String org) async {

as there are duplicate github_service.darts and this one did not have the method. It may be good to de-dupe these at some point

[gmackall]

I double checked that this returns the author's user, and not the user of the person interacting with the PR:
https://pub.dev/documentation/github/latest/github/PullRequest/user.html