33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# Access And Permissions
|
|
|
|
## Roles
|
|
|
|
- Maintainer: merge authority, release authority, incident ownership.
|
|
- Reviewer: approves pull requests and validates architecture/security impact.
|
|
- Contributor: proposes changes through pull requests.
|
|
- Consumer: integrates published package versions in downstream applications.
|
|
|
|
## Least-Privilege Model
|
|
|
|
- Limit maintainer privileges to required release and incident responders.
|
|
- Use reviewer role for routine code review and documentation updates.
|
|
- Restrict package publishing credentials to release maintainers.
|
|
|
|
## Approval Workflow
|
|
|
|
1. Contributor opens pull request.
|
|
2. Reviewer validates tests, documentation, and risk impact.
|
|
3. Maintainer approves merge for high-risk or release-impacting changes.
|
|
4. Release maintainer publishes approved release artifacts.
|
|
|
|
## Periodic Access Review
|
|
|
|
1. Review maintainer and publisher access quarterly.
|
|
2. Remove inactive accounts and obsolete credentials.
|
|
3. Confirm access ownership in repository settings and package feed controls.
|
|
|
|
## Emergency Access
|
|
|
|
- Temporary elevated access requires a tracked incident issue.
|
|
- Remove temporary access immediately after incident closure.
|