Using GitHub for Spec Work

This document covers a tool that was created to support contributions made to a group, under the form of pull requests, in order to assess whether they are IPR-OK or not.

The tool is at:

A number of operations in the tool require logging in through GitHub as the related actions you can undertake through the tool (or that the tool can undertake on your behalf when reacting to a GitHub event) require authorized access to GitHub.

There are several tools of use:

New Repository login required

This is basically what people should use when they want to start a new specification in a CG or a WG. It gives you a choice of the organisations under which you are allowed to create a new repo (including your own user), and you can pick the name of the repo and the group(s) to which it belongs.

Hitting "Create" can take a little while as the tool does all of the following, live:

Most users should only ever have to use that. Once done they can go and play in their repo.

Import Repository login required

This is the same as "New" but for an existing repo. It will *never* overwrite something there so it is the user's responsibility to check that the repo is okay.

How Pull Requests Get Handled

Whenever a pull request is made against a repo that is under the tool's management,the tool gets notified. It uses this information to assess if the PR is acceptable (i.e. all its contributors have made the relevant IPR commitment).

Count as contributors not just the person making the pull request, but also anyone added either in the PR description or in any subsequent comment using "+@username" on a line on its own. If a contributor was added by mistake, she can be removed wit "-@username" on a line on its own.

Every time a PR is created or has a comment with a username change, the status of the PR is changed. If it's okay it'll get changed to green with a note indicating that it's fine; if not it gets changed to some ugly brown with a red cross (and a link that people can use to check the issue in more detail).

On the page that explains the IPR failure, one can mark a given Pull Request as non-substantive: this will post a comment on the pull request under the name of the user, and will clear the flag for the said pull request.

When a pull requets gets flagged as not OK by the tool, it will attempt to notify the github users listed in the contacts property of the w3c.json file in the repo.

The following are only available to admins.

Currently Open Pull Requests

This list all PRs that are now open, even old ones. It lists useful details such as which users are being problematic either because they are unknown (not in the system at all) or outside (known to the system but not in one of the right groups for that repo).

You can go to PR details by clicking "Details".

PR Details

If the PR is not in an acceptable state, this will list problematic users with a link to fix each of them, and a button to "Mark the PR as non-substantive".

For problematic users, the fix can either be "Add to system" or "Edit" (details below).

The idea is that the vast majority of non-acceptable PRs for a newly added repo will come from people who are simply not known.

If all problematic users are added to the system and group, return to the PR details page and hit "Revalidate". We could revalidate every time a user is added or edited, but it's pretty costly so for the time being it is done this way. Revalidation will of course update both the local state and the PR's mergability indicator on GitHub.

Add User to system login required

For users that are unknown to the system, they can be added by following on of those links and just clicking that button. This is always an innocuous operation; it does not give the user any special rights nor can it make a PR OK (since the user needs to be in a group for that).

Active Last Week PRs

This is a list of pull requests, in any state, that saw activity last week. They can be filtered according to the affiliation of the companies that made the contributions. This is essentially so that AC reps who have people in CGs who are only supposed to contribute to some specific work but not all of it can monitor what's been going on and avail themselves of their 45 days retraction window. Similar affordances are available as for the list of open PRs.

Edit User login required

The interface to edit users is where the W3C data model and the GitHub data model get to meet. This alone is scary; I've tried to make it less scary.

A list of the groups known to the system is show, the user can be added and removed from them there. If the user's affiliation is unset, once some groups have been added you can click "Set". This will load up a list that is the *intersection* of membership in the selected groups. The UI will also try to select the user with the name matching their GitHub profile (which may not always work, but often does). Hitting "OK" will associate the GH user with the W3C user, making it possible for us to use affiliation information. Don't forget to hit "Save".

This is a little convoluted but it's the best I could do with the current APIs from both GitHub and the W3C backend. Hopefully it can be simplified in the future.

Admin > Users admin required

This is a list of users. Things you can do there include making them admins and giving them blanket contribution rights. USE EITHER WITH CARE.

Admins should normally not be able to break the system, but they can enter all sorts of bogus information that would be really annoying. Only grant admin when you're sure; it's probably better to ask others first.

Blanket is a different type of superpower: users with blanket access are considered acceptable contributors to ALL repos, irrespective of their group memberships. This should normally be restricted to W3C team people.

Admin > Groups admin required

This is a list of all W3C groups. You will note that most have an "Add" button next to them: those are the ones that are in W3C but not in this system. Please do *not* start adding groups unless they explicitly want to be managed under this system. We only want people to create/import repos for groups that are actually using this system. Clicking "Add" makes that group one of those available for repos and users to belong to.

The source is at