16
7
Fork
You've already forked design
4

Magic git repository to manage the settings of an organization #66

Open
opened 2026年05月19日 16:01:19 +02:00 by wetneb · 5 comments
Member
Copy link

Warning

Please read this section of the README before interacting in the issue tracker.
We might remove comments that don't fit here. This is unfortunately necessary, because respect for design work is not yet common in Free/Libre Software projects.

Content

Motivation

Owners of Forgejo organizations can perform sensitive actions with little scrutiny. A lot of those actions don't generate any notifications or audit log, so they are hardly traceable after the fact.
It would be useful if there could be a way to propose changes, let them be reviewed by other team members and only perform them once a consensus has been reached. See also forgejo/forgejo#12451.

One possible way to add this oversight would be to use a Git repository to mirror organization settings, and discuss changes as pull requests on this repository.

There already exist various tools to synchronize organization settings in this way: for instance, a Terraform provider for Forgejo could be used for that, and there are a couple of other tools developed for GitHub that could be ported to Forgejo, such as Peribolos or github-org-manager.
Still, setting those up requires some time and resources (CI infrastructure) and using API tokens with owner permissions.

Idea

Instead of going through an external tool, Forgejo itself could offer such "magic" repositories (when the corresponding option would be enabled for the organization).
Forgejo would take care of the synchronization between the repository contents and the organization settings by itself.

The scope of the settings that are reflected in the repository could potentially be configured. For instance, an organization could decide to only use this magic repository for membership management and leave the other settings to be managed manually, outside of the git repository. The UI and API would forbid direct changes to the parts of org settings which are managed via Git.

Proposals to have special interfaces for reviewing changes, such as forgejo/forgejo#12451 or #65, could potentially be implemented as some sort of UI coating on top of this feature.

> **Warning** > Please read [this section of the README](https://codeberg.org/forgejo/design#what-you-can-do-here) before interacting in the issue tracker. > We might remove comments that don't fit here. This is unfortunately necessary, because respect for design work is not yet common in Free/Libre Software projects. ### Content ### Motivation Owners of Forgejo organizations can perform sensitive actions with little scrutiny. A lot of those actions don't generate any notifications or audit log, so they are hardly traceable after the fact. It would be useful if there could be a way to propose changes, let them be reviewed by other team members and only perform them once a consensus has been reached. See also https://codeberg.org/forgejo/forgejo/issues/12451. One possible way to add this oversight would be to use a Git repository to mirror organization settings, and discuss changes as pull requests on this repository. There already exist various tools to synchronize organization settings in this way: for instance, a [Terraform provider for Forgejo](https://github.com/svalabs/terraform-provider-forgejo) could be used for that, and there are a couple of other tools developed for GitHub that could be ported to Forgejo, such as [Peribolos](https://docs.prow.k8s.io/docs/components/cli-tools/peribolos/) or [github-org-manager](https://github.com/OpenRailAssociation/github-org-manager). Still, setting those up requires some time and resources (CI infrastructure) and using API tokens with owner permissions. ### Idea Instead of going through an external tool, Forgejo itself could offer such "magic" repositories (when the corresponding option would be enabled for the organization). Forgejo would take care of the synchronization between the repository contents and the organization settings by itself. The scope of the settings that are reflected in the repository could potentially be configured. For instance, an organization could decide to only use this magic repository for membership management and leave the other settings to be managed manually, outside of the git repository. The UI and API would forbid direct changes to the parts of org settings which are managed via Git. Proposals to have special interfaces for reviewing changes, such as https://codeberg.org/forgejo/forgejo/issues/12451 or https://codeberg.org/forgejo/design/issues/65, could potentially be implemented as some sort of UI coating on top of this feature.
Author
Member
Copy link

Another potential benefit of GitOps-based management of organization settings would be to ease the portability across Forgejo instances. If you want to migrate your project to another Forgejo instance, having your org settings materialized in this way would be helpful to import them again in the new instance. (But the existing work on federation might also help.) Caveats apply of course: for instance, users might have different names on the instances, so some small edits to the files might be needed.

Another potential benefit of GitOps-based management of organization settings would be to ease the portability across Forgejo instances. If you want to migrate your project to another Forgejo instance, having your org settings materialized in this way would be helpful to import them again in the new instance. (But the existing work on federation might also help.) Caveats apply of course: for instance, users might have different names on the instances, so some small edits to the files might be needed.

I have concerns with the implementation of such proposal. Fetching contents out of a git repository is not relatively fast, and in general you can't query for it. I have a feeling it would be necessary to still synchronize such settings to a database table.

I have concerns with the implementation of such proposal. Fetching contents out of a git repository is not relatively fast, and in general you can't query for it. I have a feeling it would be necessary to still synchronize such settings to a database table.
Author
Member
Copy link

Absolutely - there would still be a need for a synchronization mechanism between the existing SQL storage of those settings and the git repo. This synchronization would only need to happen when the main branch of the magic repo is updated. This would hopefully make the feature not too intrusive in the code base, as the rest of the code could continue to fetch this information where it has been stored so far.

I imagine that the main impact would come from the need to disable some parts of the web UI and API if the settings they act on are managed via the special git repository (because a commit on the repo needs to be made instead), or changing them so that they initiate the corresponding PR on the magic repo. For instance, if I try to add a member to the organization via the web UI and that organization uses a git repo to manage its members, it would either forbid it or lead me to making a PR on the magic repo instead.

Absolutely - there would still be a need for a synchronization mechanism between the existing SQL storage of those settings and the git repo. This synchronization would only need to happen when the main branch of the magic repo is updated. This would hopefully make the feature not too intrusive in the code base, as the rest of the code could continue to fetch this information where it has been stored so far. I imagine that the main impact would come from the need to disable some parts of the web UI and API if the settings they act on are managed via the special git repository (because a commit on the repo needs to be made instead), or changing them so that they initiate the corresponding PR on the magic repo. For instance, if I try to add a member to the organization via the web UI and that organization uses a git repo to manage its members, it would either forbid it or lead me to making a PR on the magic repo instead.

@wetneb wrote in #66 (comment):

This synchronization would only need to happen when the main branch of the magic repo is updated. This would hopefully make the feature not too intrusive in the code base, as the rest of the code could continue to fetch this information where it has been stored so far.

This could be quite a frustrating experience in handling any errors -- if invalid settings are pushed into the repo, or, changes made through the UI/API have some failure to sync to the repo, the user experiencing for error detection and recovery could be quite ugly.

I think the concept presented here is interesting. My thought is that before this kind of enhancement could be fully considered for inclusion in Forgejo, it would be best to be developed as a proof-of-concept implementation. For example, using a repository, a Forgejo terraform provider, and a CI system could demonstrate the concept end-to-end and reach motivated users who want a solution in this space. Specific challenges arising from that could lead to specific narrow solutions being incorporated into Forgejo first, which would both serve as a building block to this enhancement, and ease challenges in the proof-of-concept -- for example, "An admin can still edit a repo's settings bypassing the automated system" could lead to improvements in access control granularity to support the external integration and a potential future internal implementation.

@wetneb wrote in https://codeberg.org/forgejo/design/issues/66#issuecomment-15662543: > This synchronization would only need to happen when the main branch of the magic repo is updated. This would hopefully make the feature not too intrusive in the code base, as the rest of the code could continue to fetch this information where it has been stored so far. This could be quite a frustrating experience in handling any errors -- if invalid settings are pushed into the repo, or, changes made through the UI/API have some failure to sync to the repo, the user experiencing for error detection and recovery could be quite ugly. I think the concept presented here is interesting. My thought is that before this kind of enhancement could be fully considered for inclusion in Forgejo, it would be best to be developed as a proof-of-concept implementation. For example, using a repository, a Forgejo terraform provider, and a CI system could demonstrate the concept end-to-end and reach motivated users who want a solution in this space. Specific challenges arising from that could lead to specific narrow solutions being incorporated into Forgejo first, which would both serve as a building block to this enhancement, and ease challenges in the proof-of-concept -- for example, "An admin can still edit a repo's settings bypassing the automated system" could lead to improvements in access control granularity to support the external integration and a potential future internal implementation.
Author
Member
Copy link

This could be quite a frustrating experience in handling any errors -- if invalid settings are pushed into the repo, or, changes made through the UI/API have some failure to sync to the repo, the user experiencing for error detection and recovery could be quite ugly.

There are a lot of corner cases to consider very carefully, it's definitely not a straightforward feature. Concerning invalid settings, I was thinking that this integrated approach would perhaps make it possible to reject invalid pushes via a git hook, offering more guarantees than an implementation via a third-party tool. But I'm not well-versed enough in Forgejo's internals to understand to what extent that would be doable.

I completely agree with you that it's worth prototyping with a third-party tool first.
This design proposal mostly stands as an alternative to #65, to explore various approaches.

> This could be quite a frustrating experience in handling any errors -- if invalid settings are pushed into the repo, or, changes made through the UI/API have some failure to sync to the repo, the user experiencing for error detection and recovery could be quite ugly. There are a lot of corner cases to consider very carefully, it's definitely not a straightforward feature. Concerning invalid settings, I was thinking that this integrated approach would perhaps make it possible to reject invalid pushes via a git hook, offering more guarantees than an implementation via a third-party tool. But I'm not well-versed enough in Forgejo's internals to understand to what extent that would be doable. I completely agree with you that it's worth prototyping with a third-party tool first. This design proposal mostly stands as an alternative to #65, to explore various approaches.
Sign in to join this conversation.
No Branch/Tag specified
main
15-new-pr
private-issues
file-editor
No results found.
Labels
Clear labels
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/design#66
Reference in a new issue
forgejo/design
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?