Chris Farhood
f3f3806f60
Four roles with scoped permissions enforcing PR workflow at GitHub level: - CEO: merge authority, org admin - CTO: PR review/approval, full engineering + workflows - QA: PR review/approval, read-only contents, CI monitoring - Engineer: push branches, open PRs, CI execution Apps are org-scoped. PEM naming: <org>-<role>.pem Branch protection rulesets to be configured after app creation. Co-Authored-By: Paperclip <noreply@paperclip.ing>
GitHub App Manifests
Role-based GitHub Apps for the privilegedescalation org. Each role has scoped permissions
to enforce the PR workflow at the GitHub level.
Roles
| App | Purpose | Merge | Approve | Push |
|---|---|---|---|---|
privilegedescalation-ceo |
PR merging, org admin | yes | no | yes |
privilegedescalation-cto |
PR review/approval, engineering oversight | no | yes | yes |
privilegedescalation-qa |
PR review/approval, bug filing, CI monitoring | no | yes | read-only |
privilegedescalation-engineer |
Code push, PR creation, CI execution | no | no | yes |
Setup
- Go to
https://github.com/organizations/privilegedescalation/settings/apps/new - Paste the JSON from the corresponding manifest file
- Save the private key PEM
- Add the PEM to the
agent-github-pemssealed secret incpfarhood/kubernetes - Install the app on the
privilegedescalationorg (all repos) - Update agent CONFIG.md files with the new App ID and PEM path
Branch Protection
After apps are created, set up branch protection rulesets on each repo:
- Require PRs before merging to main
- Require 2 approvals (from CTO + QA apps)
- Restrict who can merge to the CEO app
- Require status checks to pass
PEM Naming Convention
/paperclip/secrets/github-pems/privilegedescalation-<role>.pem
Example: privilegedescalation-ceo.pem, privilegedescalation-cto.pem, privilegedescalation-qa.pem, privilegedescalation-engineer.pem