Summary: Investigate the feasibility and implications of removing the Openshift mergebot from containers/podman, containers/buildah, containers/common, containers/storage, and containers/image due to permission non-compliance with CNCF governance.

Description:

The Openshift mergebot currently active on several containers organization repositories (specifically containers/podman, containers/buildah, containers/common, containers/storage, and containers/image) has been identified as not properly respecting repository permissions. This bot allows users who are not explicitly listed in the repository's OWNERS file to merge pull requests.

This behavior is incompatible with the project's CNCF governance model, which mandates strict control over repository privileges, including the critical ability to merge pull requests, to be granted only to designated maintainers. Allowing unauthorized merges poses a significant security and governance risk.

This spike is necessary to thoroughly investigate the process of removing the Openshift mergebot, assess the impact of its removal, and propose a viable alternative for managing pull request merges that aligns with CNCF governance requirements.

Investigation Scope:

1. Current Mergebot Functionality Assessment:

• • Document the exact behavior of the Openshift mergebot on each affected repository.

• • Identify how it currently facilitates merges and what checks it performs (or fails to perform).

• • Assess any perceived or actual value the existing mergebot provides to the team or workflow.

1. Impact Analysis of Removal:

• • Determine the immediate consequences of disabling/removing the bot (e.g., impact on CI/CD, merge velocity, maintainer workflow).

• • Identify any dependencies or integrations that rely on the mergebot's presence.

1. Alternative Merge Strategies:

• • Option 1: Alternative Mergebot: Research and evaluate alternative mergebot solutions that are compatible with GitHub and can enforce repository OWNERS file permissions and other desired checks (e.g., required reviews, CI status).

• • Option 2: Rely on GitHub Native Features: Investigate the feasibility of relying solely on GitHub's built-in features for merge protection, specifically its ability to block PR merges without a specified number of approved reviews (e.g., 2 reviews by repository maintainers).

1. Migration Plan Outline:

• • For the chosen alternative, outline a high-level plan for its implementation and transition.

• • Consider any necessary changes to .github workflows or repository settings.

1. Communication Strategy:

• • Determine how to communicate the change to maintainers and contributors.

Expected Outcomes:

• A clear recommendation on whether to replace the Openshift mergebot with an alternative or rely on GitHub's native features.

• A documented analysis of the current mergebot's behavior and the impact of its removal.

• A high-level plan for implementing the chosen alternative merge strategy.

• Identification of any technical challenges or risks associated with the transition.

• A preliminary estimate of the effort required for the full implementation (if applicable).