[Tracking] Nixpkgs GitHub teams should match `lib.teams`

[infinisil]

With #450864 it's now possible to sync the member list from a GitHub team to lib.teams.*.members by:

• Ensuring that the team has explicit Nixpkgs access and waiting for the weekly sync to run and be merged
• Setting the github property in team-list.nix:

  some-team.github = "some-team";

Ideally we should have:

• GitHub teams¹ should have an entry in lib.teams, which ensures that each team member has a contactable maintainers entry
• lib.teams should have a matching GitHub team, so they can be requested for review without needing to look up individual members
• lib.teams.${name} == @NixOS/${name} so we don't need to guess
• GitHub teams should have a maintainer, so the members can be self-managed, and people know who to ask

All of this together allows removing the ability to create teams via team-list.nix and using self-serviced GitHub teams as the source of truth, mirrored directly to lib.teams. This means lib.teams will always match the GitHub teams, which is great for transparency and consistency.

To get to that point, we have some manual work to do though. This issue tracks progress towards that. Below is an automatically generated listing of all the remaining issues². It was generated with the following script on #456345. If we really want to go for this, we should ping everybody for crowd-sourcing this.

Cc @NixOS/nixpkgs-core

Details

let
  lib = import ./lib;
  githubTeams = lib.importJSON ./maintainers/github-teams.json;
  expectedPairs = [
    "acme"
    "bazel"
    "coq"
    "dotnet"
    "emacs"
    "gitlab"
    "kodi"
    "lxc"
    "mate"
    { github = "nix-formatting"; libTeam = "formatter"; }
    { github = "nix-team"; libTeam = "nix"; }
    "node"
    "xfce"
  ];

  pairsLibToGh = lib.listToAttrs (lib.map (v: lib.nameValuePair (v.libTeam or v) (v.github or v)) expectedPairs);
  libToGh = lib.mapAttrs (ln: lv: lv.github or pairsLibToGh.${ln} or null) lib.teams;

  ghMap = lib.mapAttrs' (ln: lv: lib.nameValuePair lv.github ln) (lib.filterAttrs (ln: lv: lv ? github) lib.teams);
  pairsGhToLib = lib.listToAttrs (lib.map (v: lib.nameValuePair (v.github or v) (v.libTeam or v)) expectedPairs);
  ghToLib = lib.mapAttrs (ghn: ghv: ghMap.${ghn} or pairsGhToLib.${ghn} or null) githubTeams;

  ghCommon = lib.filterAttrs (ghn: ln: ln != null) ghToLib;

  ghMembers = ghn: lib.map lib.toLower (lib.attrNames (githubTeams.${ghn}.maintainers // githubTeams.${ghn}.members));
  #idToHandle = lib.mapAttrs' (_: v: lib.nameValuePair (toString v.githubId) v.github) lib.maintainers;
  libMembers = ln: lib.map (m: lib.toLower m.github) lib.teams.${ln}.members;

  memberMismatch = lib.filterAttrs (ghn: { ln, onlyGh, onlyLib }: onlyGh != [] || onlyLib != []) (lib.mapAttrs (ghn: ln:
    let
      gh = lib.sort builtins.lessThan (ghMembers ghn);
      l = lib.sort builtins.lessThan (libMembers ln);
    in
    {
      inherit ln;
      onlyGh = lib.subtractLists l gh;
      onlyLib = lib.subtractLists gh l;
    }
  ) ghCommon);

  ghWithoutLib = lib.attrNames (lib.filterAttrs (gn: ln: ln == null) ghToLib);

  nameMismatch = lib.filterAttrs (ghn: ln: ghn != ln) ghCommon;

  maintainerLess = lib.attrNames (lib.filterAttrs (ghn: ghv: ghv.maintainers == {}) githubTeams);

  libWithoutGh = lib.attrNames (lib.filterAttrs (ln: gn: gn == null) libToGh);

  teamsWithPos = import ./maintainers/team-list.nix { inherit lib; };
  libPos = ln: "https://github.com/NixOS/nixpkgs/blob/8f87d1d5160c7a28197f78064cc9a5b3a05e908c/maintainers/team-list.nix#L${toString (builtins.unsafeGetAttrPos ln teamsWithPos).line}";
  #res = lib.filterAttrs (ghn: _: (lib.attrNames githubTeams)
  res = {
    inherit ghWithoutLib memberMismatch nameMismatch maintainerLess libWithoutGh;
    #inherit ghToLib libToGh memberMismatch;
    #x = ghToMembers "haskell";
  };

  prettyGhTeam = ghn: "[`@NixOS/${ghn}`](https://github.com/orgs/NixOS/teams/${ghn})";
  prettyGhHandle = handle: "[`@${handle}`](https://github.com/${handle})";
  prettyLibTeam = ln: "[`lib.teams.${ln}`](${libPos ln})";

  string = ''
    GitHub teams that don't have an corresponding entry in `lib.teams`:
    ${lib.concatStrings (lib.map (ghn: "- [ ] [`@NixOS/${ghn}`](https://github.com/orgs/NixOS/teams/${ghn})\n") ghWithoutLib)}
    `lib.teams` that don't have a corresponding GitHub team:
    ${lib.concatStrings (lib.map (ln: "- [ ] ${prettyLibTeam ln}\n") libWithoutGh)}
    Corresponding teams whose members don't match between GitHub and `lib.teams`:
    ${lib.concatStrings (lib.mapAttrsToList (ghn: { ln, onlyGh, onlyLib }: ''
      - [ ] ${prettyGhTeam ghn}/${prettyLibTeam ln}:
      ${lib.optionalString (onlyGh != []) "  - Only on GitHub: ${lib.concatMapStringsSep ", " prettyGhHandle onlyGh}\n"}${lib.optionalString (onlyLib != []) "  - Only in `lib.teams`: ${lib.concatMapStringsSep ", " prettyGhHandle onlyLib}\n"}'') memberMismatch)}
    GitHub teams whose name doesn't match the corresponding `lib.teams`:
    ${lib.concatStrings (lib.mapAttrsToList (ghn: ln: ''
      - [ ] ${prettyGhTeam ghn} <-> ${prettyLibTeam ln}
    '') nameMismatch)}
    GitHub teams that don't have a maintainer:
    ${lib.concatStrings (lib.map (ghn: "- [ ] ${prettyGhTeam ghn}\n") maintainerLess)}
  '';
in
builtins.trace (lib.generators.toPretty {} res)
builtins.trace string null

---

GitHub teams that don't have an corresponding entry in lib.teams:

• @NixOS/bootstrapping
• @NixOS/channel-updaters
• @NixOS/crystal-lang
• @NixOS/darwin-maintainers
• @NixOS/exotic-platform-maintainers
• @NixOS/nixos-release-managers
• @NixOS/nixpkgs-core
• @NixOS/nixpkgs-merge-bot
• @NixOS/reproducible
• @NixOS/risc-v
• @NixOS/scala
• @NixOS/security: See https://github.com/NixOS/nixpkgs/pull/456477/files#r2470081842
• @NixOS/static

lib.teams that don't have a corresponding GitHub team:

• lib.teams.apm
• lib.teams.apparmor
• lib.teams.bitnomial
• lib.teams.blockchains
• lib.teams.budgie
• lib.teams.buildbot
• lib.teams.c
• lib.teams.c3d2
• lib.teams.cachix
• lib.teams.cinnamon
• lib.teams.clevercloud
• lib.teams.cloudposse
• lib.teams.cosmopolitan
• lib.teams.cyberus
• lib.teams.deshaw
• lib.teams.determinatesystems
• lib.teams.dhall
• lib.teams.docker
• lib.teams.electron
• lib.teams.flyingcircus
• lib.teams.fslabs
• lib.teams.gcc
• lib.teams.gnome-circle
• lib.teams.graalvm-ce
• lib.teams.helsinki-systems
• lib.teams.home-assistant
• lib.teams.infisical
• lib.teams.iog
• lib.teams.jetbrains
• lib.teams.jitsi
• lib.teams.jupyter
• lib.teams.libretro
• lib.teams.lomiri
• lib.teams.lumiguide
• lib.teams.matrix
• lib.teams.mercury
• lib.teams.minimal-bootstrap
• lib.teams.module-system
• lib.teams.nextcloud
• lib.teams.ngi
• lib.teams.nixos-rebuild
• lib.teams.octodns
• lib.teams.openstack
• lib.teams.ororatech
• lib.teams.perl
• lib.teams.python
• lib.teams.r
• lib.teams.redcodelabs
• lib.teams.sage
• lib.teams.secshell
• lib.teams.serokell
• lib.teams.sphinx
• lib.teams.steam
• lib.teams.stridtech
• lib.teams.swift
• lib.teams.tests
• lib.teams.tts
• lib.teams.uzinfocom
• lib.teams.wdz
• lib.teams.windows
• lib.teams.zig

Corresponding teams whose members don't match between GitHub and lib.teams:

• @NixOS/acme/lib.teams.acme:
  • Only in lib.teams: @aanderse
• @NixOS/bazel/lib.teams.bazel:
  • Only on GitHub: @ethercrow, @kalbasit, @profpatsch
  • Only in lib.teams: @boltzmannrain, @olebedev, @ylecornec
• @NixOS/coq/lib.teams.coq:
  • Only in lib.teams: @cohencyril, @siraben, @stepbrobd
• @NixOS/dotnet/lib.teams.dotnet:
  • Only on GitHub: @ivarwithoutbones
• @NixOS/emacs/lib.teams.emacs:
  • Only on GitHub: @matthewbauer, @ttuegel
• @NixOS/gitlab/lib.teams.gitlab:
  • Only on GitHub: @xanderio
  • Only in lib.teams: @globin, @krav
• @NixOS/kodi/lib.teams.kodi:
  • Only on GitHub: @sephalon
  • Only in lib.teams: @dschrempf, @nvmd
• @NixOS/lxc/lib.teams.lxc:
  • Only on GitHub: @jnsgruk
• @NixOS/mate/lib.teams.mate:
  • Only in lib.teams: @johannesloetzsch
• @NixOS/nix-formatting/lib.teams.formatter:
  • Only on GitHub: @sereja313
• @NixOS/nix-team/lib.teams.nix:
  • Only on GitHub: @xokdvium
  • Only in lib.teams: @roberth
• @NixOS/node/lib.teams.node:
  • Only on GitHub: @lilyinstarlight
• @NixOS/xfce/lib.teams.xfce:
  • Only in lib.teams: @muscaln

GitHub teams whose name doesn't match the corresponding lib.teams:

• @NixOS/cuda-maintainers <-> lib.teams.cuda
• @NixOS/darwin-core <-> lib.teams.darwin
• @NixOS/documentation-team <-> lib.teams.docs
• @NixOS/lix-maintainers <-> lib.teams.lix
• @NixOS/marketing-team <-> lib.teams.marketing
• @NixOS/nix-formatting <-> lib.teams.formatter
• @NixOS/nix-team <-> lib.teams.nix
• @NixOS/nixpkgs-ci <-> lib.teams.ci
• @NixOS/xen-project <-> lib.teams.xen

GitHub teams that don't have a maintainer:

• @NixOS/acme
• @NixOS/channel-updaters
• @NixOS/freedesktop
• @NixOS/gnome
• @NixOS/nixpkgs-merge-bot
• @NixOS/php
• @NixOS/podman

Footnotes

1. Only GitHub teams with explicit Nixpkgs access, see the synced github-teams.json ↩

2. With https://github.com/NixOS/nixpkgs/pull/456345 already taken into account ↩

[wolfgangwalther]

The nixpkgs-merge-bot team does not have a maintainer nor team-list entry on purpose. It just serves as a target to be able to @nixpkgs-merge-bot, not more. I checked both boxes.

[wolfgangwalther]

GitHub teams whose name doesn't match the corresponding lib.teams:

A few of these have a -maintainers suffix, which is something that we discourage going forward. So we might want to migrate these to remove that suffix.

cc @philiptaron

[infinisil]

The nixpkgs-merge-bot team does not have a [..] team-list entry on purpose

If we don't want to sync some team with lib.teams, it needs to be added to the list of sync-excluded teams:

nixpkgs/ci/github-script/get-teams.js

Lines 1 to 5 in 2b21a29

	const excludeTeams = [
	/^voters.*$/,
	/^nixpkgs-maintainers$/,
	/^nixpkgs-committers$/,
	]

I'll uncheck that box again until we have that.

[iedame]

What should be the procedure for maintainers not in the maintainer-list.nix?

Ping all affected and ask them to add themselves to the list within a week?

[infinisil]

Ping all affected and ask them to add themselves to the list within a week?

Yeah that sounds reasonable, though I'd extend it by another couple weeks and then remove everybody that didn't do it. We should get input from team maintainer @toonn, because team members should only be added if they're already in the maintainers going forward.

[wolfgangwalther]

I'd suggest to create a separate issue for such a case, though, to avoid signing up everyone to this one.

[iedame]

Sounds good, thank you! I will do that.
Maintainers also in the retired-nixpkgs-contributors team should be pinged too? (only copumpkin for darwin-maintainers)

[wolfgangwalther]

Maintainers also in the retired-nixpkgs-contributors team should be pinged too? (only copumpkin for darwin-maintainers)

Sounds sensible to me.

[emilazy]

For @NixOS/darwin-maintainers and @NixOS/darwin-core, the divergence in naming is intentional, and it doesn’t make sense for @NixOS/darwin-maintainers to have a lib.teams entry. It’s a large team of people to be pinged for help with Darwin‐specific packaging/testing issues on GitHub, but it doesn’t make sense to treat as a coherent team that takes collective maintainership responsibility for packages – that would be @NixOS/darwin-core, which is lib.teams.darwin, i.e. “the Darwin team”. See #348183 for background.

Renaming @NixOS/darwin-core to @NixOS/darwin may make sense. Renaming @NixOS/darwin-maintainers to be more clear may also be a good idea, but at the time I gave up on figuring out a more helpful name :)

[philiptaron]

@NixOS/darwin-ecosystem? @NixOS/darwin-folks? @NixOS/darwin-crowd?

[iedame]

and it doesn’t make sense for @NixOS/darwin-maintainers to have a lib.teams entry. It’s a large team of people to be pinged for help with Darwin‐specific packaging/testing issues on GitHub

That's a very good point! I definitely agree it wouldn't be any more useful to have a lib.teams in its current state. So I guess darwin-maintainers will be added to the sync-excluded teams.