authz: faster repository permissions syncing via GitHub webhook
Created by: unknwon
Use webhook could detect changes to repository permissions faster and do not consume API rate limit quota.
For GitHub, we care about following events (the engineering owner will decide the final list):
- Collaborator add, remove, or changed
- Visibility changes
- Repositories
- Team adds
Our handler should work for both org- and repo-level webhooks.
IIRC, campaigns team is already using the webhook. If the spike turns out to be good, we probably can have a unified endpoint (if we haven't already) for receiving webhook and call different sub-handlers based on events (or let sub-handlers subscribe to desired events). The engineering owner will decide the approach.
Similar optimization could be done for GitLab and Bitbucket Server/Cloud if it turns out to be effective and reliable.
Pairing notes from @arussellsaw and @flying-robot:
Tasks
-
grok campaigns-related webhook code as a starting point -
determine what can be reused / standardized
-
-
document what authz-related events Git{Hub,Lab} send -
document the contents of those events and how we use them
-
-
handle authz events -
support active users -
support pending users -
bump affected repos to head of priority queue -
bump affected users to head of priority queue -
implementing monitoring / observability (consistent logging, counters, graphs, etc.)
-
General Events of Interest
- collaborator added, removed, or changed
- repository visibility changed (e.g. turned private, or made public again)
- repositories added to org
- users added to org
Open Questions
- how can we best limit the feature to SG / Cloud folks up front?
- external service config, flag, etc.?