Implement an Activity Policy

[bnb]

I'd like to recommend that we introduce an Activity Policy for organization membership to reduce the manual workload of maintaining organization membership and attempt to reduce the surface area for potential issues caused by escalated privileges.

I think we can probably be incredibly lenient in what we consider "activity". I'd consider the following "activity", in the nodejs, pkgjs, and nodejs-private orgs:

• Creating an Issue, PR, or Discussion (ex. org:nodejs author:bnb created:>2021-01-01)
• Commenting on an Issue, PR, or Discussion (ex. org:nodejs commenter:bnb created:>2021-01-01)
• Reviewing a PR (ex org:nodejs reviewed-by:bnb created:>2021-01-01)

I would also include "reacting to an Issue, PR, or Discussion" but it doesn't seem like GitHub has an API that would surface that information. If people think of more things to check programmatically that could be added, I'm wholly onboard with that. I believe our goal should be to consume as many signals as possible, and given that we've consistently decided to centralize on GitHub I think using every available signal is a reasonable way to parse "has this person engaged with the project".

In terms of "what is the scope and approach":

• I'd recommend checking for checking the past year. I don't know of a point in history where an "active" member of the project didn't engage in some way in GitHub at one point or another within the previous 365 days.
  • I'd recommend this be instant rather than moving to a temporary hold group before being released. In CommComm I pretty consistently noticed a pattern where when asked people would say yes but not return, creating an artificial inflation of the number of members despite a majority being in this limbo state.
• I'd recommend committing "decisions" in a repo, so we have an easy log that we can audit.
  • This could include a snapshot of their membership, allowing us to easily reinstate that.
• I'd recommend that we take a similar approach to how some groups have implemented Emeritus, where a simple request to be re-added (perhaps after some period of renewed activity, like a week or a month?) is all that's required. Perhaps this could also be automatic.

Would love to hear thoughts on this.

[Trott]

Prior art:

• TSC charter requires members to attend meetings or participate in votes to retain membership.
  • Window checked is 3 months.
  • Enforced by https://github.com/nodejs/node/blob/a698c49993050491c00d1127236d714c9e8ce2eb/.github/workflows/find-inactive-tsc.yml
• Collaborators in the main repo are required to author or approve commits to retain membership.
  • Window checked is 18 months.
  • Enforced by https://github.com/nodejs/node/blob/a698c49993050491c00d1127236d714c9e8ce2eb/.github/workflows/find-inactive-collaborators.yml

(Not trying to make any particular point. Just adding some context/information about what's already done.)

[mhdawson]

Your suggestions make sense to me. In line with what @Trott implemented in the prior art that he mentioned, it should be automated and I think the way it was done where it generates a PR is a good way to review/land versus the automation just automatically making changes.

[bnb]

Agree that it should be automated and via PR. If we've already got existing infrastructure in Actions, I think it makes sense to re-use that infrastructure.

[mmarchini]

I like this idea. We might want to also add nodejs-private to the list.

[bnb]

@mmarchini done