docs/content/policies/governance.md
Authelia is free from any outside parties directly influencing its decision and architecture process and is entirely governed as outlined on this page.
To date no party that has contributed financially or otherwise to the project has been directly involved in the design or implementation of the project or has attempted to influence the project in any way that we're aware of. Our promise is that if this changes we will publish the name of the party and the details of attempt transparently on this page.
Our affiliations with external companies will be transparently communicated on this page and the sponsors section.
This policy outlines how the Authelia project is governed and the various processes that are in place to ensure that the project is run in a safe and sustainable manner.
The following describes the roles within the Authelia project and their associated responsibilities.
{{% profile-team name="maintainers" %}}
{{% profile-team name="core" %}}
The following table summarizes which sensitive resources each role has access to. For the list of current members in each role see the Maintainers and Core Team sections above.
The table only describes the default sensitive resources the role has access to, while there is no divergence at this stage there may be in the future.
| Sensitive Resource | Maintainers | Core Team |
|---|---|---|
| Repository write access (commit and merge) | Y | Y |
| CI/CD pipeline unblock/approval | Y | Y |
| CI/CD pipeline secrets | Y | |
| CI/CD pipeline configuration | Y | |
| Package registry publishing credentials | Y | |
| Infrastructure access | Y | |
| Organization-level administrative access | Y |
The following technical controls are enforced at the platform level to protect the project's version control system and sensitive resources.
The GitHub organization requires multi-factor authentication (MFA) for all members. Any user who attempts to access sensitive resources in the version control system must have completed MFA enrollment. Members who disable or fail to configure MFA are automatically removed from the organization by GitHub.
Members are also not permitted to have less secure multi-factor authentication (MFA) methods such as SMS. See the GitHub documentation for more details.
The project's primary branch (master) is protected by a
GitHub repository ruleset. This ruleset enforces the following:
The project maintains several mechanisms for public discussion about proposed changes, usage obstacles, and general community interaction:
For full details see the contact page.
The project welcomes contributions from anyone. The contribution process and requirements for acceptable contributions are documented in the contributing section. In summary:
Contributors are reviewed prior to being granted escalated permissions to sensitive resources either directly or via the Roles and Responsibilities. Access to sensitive resources are reviewed on a case-by-case basis, and each contributor granted access to one sensitive resource is re-reviewed should they need or want access to any additional sensitive resource. Sensitive resources include but are not limited to:
Before a contributor may be granted escalated permissions to any sensitive resource, the following requirements must be satisfied:
The GitHub organization base permission is set to read-only. When a new collaborator is added to the organization they receive no write access by default. All escalated permissions including repository write access are granted exclusively through manual team assignment by a core team member after the review requirements have been satisfied.
Escalated permissions are granted only after the review requirements above are met. The core team member approving the escalation is responsible for ensuring the review has been conducted thoroughly. Permissions are scoped to the minimum level necessary for the contributor's role and responsibilities.
Escalated permissions may be revoked at any time by the core team if a contributor is found to have violated project policies, acted in bad faith, or is no longer actively contributing to the project.