From f3f3806f606e905b60fd63830186278b4af24fd0 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Fri, 20 Mar 2026 07:30:28 -0400 Subject: [PATCH] Add role-based GitHub App manifests Four roles with scoped permissions enforcing PR workflow at GitHub level: - CEO: merge authority, org admin - CTO: PR review/approval, full engineering + workflows - QA: PR review/approval, read-only contents, CI monitoring - Engineer: push branches, open PRs, CI execution Apps are org-scoped. PEM naming: -.pem Branch protection rulesets to be configured after app creation. Co-Authored-By: Paperclip --- github-apps/README.md | 36 ++++++++++++++++++++++++++++++++++++ github-apps/ceo.json | 19 +++++++++++++++++++ github-apps/cto.json | 19 +++++++++++++++++++ github-apps/engineer.json | 19 +++++++++++++++++++ github-apps/qa.json | 18 ++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 github-apps/README.md create mode 100644 github-apps/ceo.json create mode 100644 github-apps/cto.json create mode 100644 github-apps/engineer.json create mode 100644 github-apps/qa.json diff --git a/github-apps/README.md b/github-apps/README.md new file mode 100644 index 0000000..e8f2c51 --- /dev/null +++ b/github-apps/README.md @@ -0,0 +1,36 @@ +# GitHub App Manifests + +Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions +to enforce the PR workflow at the GitHub level. + +## Roles + +| App | Purpose | Merge | Approve | Push | +|-----|---------|-------|---------|------| +| `privilegedescalation-ceo` | PR merging, org admin | yes | no | yes | +| `privilegedescalation-cto` | PR review/approval, engineering oversight | no | yes | yes | +| `privilegedescalation-qa` | PR review/approval, bug filing, CI monitoring | no | yes | read-only | +| `privilegedescalation-engineer` | Code push, PR creation, CI execution | no | no | yes | + +## Setup + +1. Go to `https://github.com/organizations/privilegedescalation/settings/apps/new` +2. Paste the JSON from the corresponding manifest file +3. Save the private key PEM +4. Add the PEM to the `agent-github-pems` sealed secret in `cpfarhood/kubernetes` +5. Install the app on the `privilegedescalation` org (all repos) +6. Update agent CONFIG.md files with the new App ID and PEM path + +## Branch Protection + +After apps are created, set up branch protection rulesets on each repo: +- Require PRs before merging to main +- Require 2 approvals (from CTO + QA apps) +- Restrict who can merge to the CEO app +- Require status checks to pass + +## PEM Naming Convention + +`/paperclip/secrets/github-pems/privilegedescalation-.pem` + +Example: `privilegedescalation-ceo.pem`, `privilegedescalation-cto.pem`, `privilegedescalation-qa.pem`, `privilegedescalation-engineer.pem` diff --git a/github-apps/ceo.json b/github-apps/ceo.json new file mode 100644 index 0000000..220bbf2 --- /dev/null +++ b/github-apps/ceo.json @@ -0,0 +1,19 @@ +{ + "name": "privilegedescalation-ceo", + "url": "https://github.com/privilegedescalation", + "hook_attributes": { + "url": "https://example.com/placeholder" + }, + "redirect_url": "https://github.com/privilegedescalation", + "public": false, + "default_permissions": { + "administration": "write", + "contents": "write", + "issues": "write", + "pull_requests": "write", + "actions": "read", + "metadata": "read" + }, + "default_events": [], + "description": "CEO agent \u2014 PR merging, org administration" +} \ No newline at end of file diff --git a/github-apps/cto.json b/github-apps/cto.json new file mode 100644 index 0000000..e70249d --- /dev/null +++ b/github-apps/cto.json @@ -0,0 +1,19 @@ +{ + "name": "privilegedescalation-cto", + "url": "https://github.com/privilegedescalation", + "hook_attributes": { + "url": "https://example.com/placeholder" + }, + "redirect_url": "https://github.com/privilegedescalation", + "public": false, + "default_permissions": { + "contents": "write", + "issues": "write", + "pull_requests": "write", + "actions": "write", + "workflows": "write", + "metadata": "read" + }, + "default_events": [], + "description": "CTO agent \u2014 PR review/approval, full engineering oversight" +} \ No newline at end of file diff --git a/github-apps/engineer.json b/github-apps/engineer.json new file mode 100644 index 0000000..34f3bb6 --- /dev/null +++ b/github-apps/engineer.json @@ -0,0 +1,19 @@ +{ + "name": "privilegedescalation-engineer", + "url": "https://github.com/privilegedescalation", + "hook_attributes": { + "url": "https://example.com/placeholder" + }, + "redirect_url": "https://github.com/privilegedescalation", + "public": false, + "default_permissions": { + "contents": "write", + "issues": "write", + "pull_requests": "write", + "actions": "write", + "pages": "write", + "metadata": "read" + }, + "default_events": [], + "description": "Engineer agent \u2014 code push, PR creation, CI execution" +} \ No newline at end of file diff --git a/github-apps/qa.json b/github-apps/qa.json new file mode 100644 index 0000000..d482d6e --- /dev/null +++ b/github-apps/qa.json @@ -0,0 +1,18 @@ +{ + "name": "privilegedescalation-qa", + "url": "https://github.com/privilegedescalation", + "hook_attributes": { + "url": "https://example.com/placeholder" + }, + "redirect_url": "https://github.com/privilegedescalation", + "public": false, + "default_permissions": { + "contents": "read", + "issues": "write", + "pull_requests": "write", + "actions": "read", + "metadata": "read" + }, + "default_events": [], + "description": "QA agent \u2014 PR review/approval, bug filing, CI monitoring" +} \ No newline at end of file