Activating CODEOWNERS approval for www-gitlab-com
On 2020-06-25 at 12:00 UTC we will enable the CODEOWNERS
approval requirement for the www-gitlab-com
project.
Why?
There are regulatory requirements that mandate changes to formal policies and procedures may only be done after being approved by the document owner(s). To enable GitLab to comply with these requirements we have to restrict certain pages in the Handbook from being changed without the owner approving it.
Specific to our compliance journey at GitLab, we currently hold a SOC 2 Type 1 (pursuing a Type 2) and are actively considering pursuit of FedRAMP Moderate/DoD IL2. Both security frameworks have requirements around controlled documents with the intent of ensuring our formal policies and processes are being approved by the appropriate group/expert as they have the broad purview of the program and requirements. This should not block anyone one from contributing or providing feedback around these handbook pages as we do today.
Specifically from a regulatory perspective, these requirements do not apply to runbooks/work instructions as the detailed "how" we implement the policies can be more fluid and will be different across systems.
Apart from complying with regulatory requirements there are teams that want to enforce an approval process on some/all pages they own.
Impact
The impact of enabling approval requirements is that at least one of the CODEOWNERS
listed for a specific source path will have to provide approval of the change before it can be merged.
We do not want to discourage updates from team members, and everyone is still welcome to contribute changes, but this is a necessary step that we have to take.
How we will execute
See this comment: #7755 (comment 366941058)
Background
The People and Legal groups have encountered times where pages were updated without knowledge of the DRI as people can merge without going through approval channels. While in the spirit of everyone can contribute is very important, certain pages should not be updated without review from the team that is the DRI for it. Currently Code Owners is turned off for the www-gitlab-com project, thus allowing only for suggested approvals. Is it possible to turn this on? How would this impact the broader GitLab org?
We need to figure out a solution to only allow merge after approval for many pages in the People and Legal org
Reason | Pro | Con | Weight (TBD) | Context |
---|---|---|---|---|
Enforce approval of key pages | x | Important pages relating to People and Legal groups need to go through approvals before changes are made. | ||
Approval gets easier | x | Team members don't always know who to reach out to for approval of MRs, especially if its outside of their function | ||
Protection of non-content files | x | We can make sure that code relating to styling and functionality are reviewed by the relevant team members before changes are made which could impact the site. | ||
Potentially slows velocity | x | Some team members have cross-functional roles with permission to merge changes without approval. This will slow them down unless a solution can be found in how we configure CODEOWNERS | ||
Encourages discussion of changes | x | Approval without discussion can impact the quality of changes. |
CC @jeanduplessis @brittanyr @Vatalidis @cteskey @rhartough @davegilbert