Merge branch 'main' into ci-timeouts

Author: tim-schilling

.github/workflows/add_member.yml

@@ -29,7 +29,7 @@ jobs:
           python-version: '3.12'
 
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           # This is the default, but it's required since we are performing
           # Git operations later on.

.github/workflows/apply.yml

@@ -19,23 +19,22 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
+      contents: read
+      pull-requests: write
 
     timeout-minutes: 10
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           persist-credentials: false
-
       - name: terraform apply
         # v1.44.0
-        # Use the commit hash for security hardening
-        # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
         uses: dflook/terraform-apply@8f47d0ad9f3cb9e50fd6b3595c0cb98f00c518df
         env:
-          TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.TERRAFORM_MANAGEMENT_GITHUB_TOKEN }}
         with:
           path: "terraform"
           variables: |
@@ -49,7 +48,7 @@ jobs:
         # v0.10.0
         uses: devops-infra/action-commit-push@8a2d9d73c3f506468129be2e4409e60dbed70357
         with:
-          github_token: "${{ secrets.TERRAFORM_MANAGEMENT_GITHUB_TOKEN }}"
+          github_token: ${{ secrets.TERRAFORM_MANAGEMENT_GITHUB_TOKEN }}
           commit_prefix: "[AUTO]"
           commit_message: "State changes after apply"
           force: false

.github/workflows/member-verification.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/plan.yml

@@ -14,55 +14,43 @@ concurrency:
 
 jobs:
   format-terraform-code:
-    name: "Format Terraform code"
+    name: "Check Terraform code formatting"
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      pull-requests: write
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
-          ref: "${{ github.event.pull_request.head.ref }}"
           persist-credentials: false
 
-
-      - name: terraform fmt
-        uses: dflook/terraform-fmt@1964140828a3cd334f311122e09f9e824060382e
+      - name: terraform fmt check
+        # v2.2.2
+        uses: dflook/terraform-fmt-check@10eaa13fa61437aa51be2d12fafe95f152e3512d
         with:
           path: "terraform"
 
-      - name: Commit changes
-        # v0.9.2
-        uses: devops-infra/action-commit-push@8a2d9d73c3f506468129be2e4409e60dbed70357
-        with:
-          github_token: "${{ secrets.GITHUB_TOKEN }}"
-          commit_prefix: "[AUTO]"
-          commit_message: "Format code"
-          force: false
-#          target_branch: "${{ github.event.pull_request.head.ref }}"
-
   plan-changes:
     name: "Org changes plan"
     runs-on: ubuntu-latest
     needs: [ "format-terraform-code" ]
     permissions:
       pull-requests: write
-      contents: write
-
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           persist-credentials: false
 
       - name: terraform plan
         # v1.44.0
-        # Use the commit hash for security hardening
-        # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
         uses: dflook/terraform-plan@dc251c444763eed5defd065b866874b6343017ca
         env:
-          TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.TERRAFORM_MANAGEMENT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           add_github_comment: true
           path: "terraform"

.github/workflows/zizmor.yml

@@ -19,7 +19,7 @@ jobs:
     timeout-minutes: 3
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

docs/decision_record.md

@@ -12,20 +12,25 @@ purpose is to provide transparency and information to future administrators.
 
 ## Decisions
 
-- 2024-11-01: Retain project admins as PyPI Owners.
-  The repository's admins will be retained as PyPI Owners. This provides the project team
-  greater autonomy and allows a repository to be moved out of Django Commons without the
-  admins involvement in extreme cases.
-- 2025-10-10: Finalized selection of the new Django Commons logo.
-  [PR](https://github.com/django-commons/membership/pull/304)
-- 2025-10-10: 2025 admin team reaffirmations.
-  Admin team reaffirmed status for next year if we increase the size of the team,
-  otherwise people are interested in switching with new people.
-- 2025-10-10: Retire PyPI team in favor of all admins
-- 2025-10-10: Create "operations" team.
-  Create an "operations" team for people with elevated permissions across GitHub and
-  PyPI to allow new-to-Django-community people become admins.
+- 2025-12-18: Revise admin qualifications.
+  The admin team and super admin team qualifications have been revised reflect the reality
+  of who we are looking for those roles and their likely qualifications. Admins can be anyone
+  while the super admins must be the trusted members since they will have the privileged
+  access.
 - 2025-11-21: Remove the Security team.
   There is little regular support from the team currently. The new process will be the
   admins will be notified of a security advisory and then they can reach out to community 
   members based on the context of the issue.
+- 2025-10-10: Create "super admins" team.
+  Create a "super admins" team for people with elevated permissions across GitHub and
+  PyPI to allow new-to-Django-community people become admins.
+- 2025-10-10: Retire PyPI team in favor of all admins
+- 2025-10-10: 2025 admin team reaffirmations.
+  Admin team reaffirmed status for next year if we increase the size of the team,
+  otherwise people are interested in switching with new people.
+- 2025-10-10: Finalized selection of the new Django Commons logo.
+  [PR](https://github.com/django-commons/membership/pull/304)
+- 2024-11-01: Retain project admins as PyPI Owners.
+  The repository's admins will be retained as PyPI Owners. This provides the project team
+  greater autonomy and allows a repository to be moved out of Django Commons without the
+  admins involvement in extreme cases.

terraform/production/repositories.tfvars

@@ -285,7 +285,7 @@ repositories = {
     allow_update_branch    = true
     delete_branch_on_merge = false
 
-    has_discussions = false
+    has_discussions = true
     has_wiki        = false
     admins = [
       "amirreza8002",

terraform/tfstate.json

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.14.3",
-  "serial": 778,
+  "serial": 780,
   "lineage": "425397de-8394-a003-8a6c-bce854d9cc53",
   "outputs": {
     "invalid_users": {
@@ -3101,12 +3101,12 @@
             "default_branch": "main",
             "delete_branch_on_merge": false,
             "description": "a Valkey backend for django",
-            "etag": "W/\"900ab9cde0911515bc590810cc86f2ed47fdf3beb8b64cd1b557e7447f1e1c18\"",
+            "etag": "W/\"42358337689048e797234d896b3c33c2c864390ebfbd58bfceefbc2496a9e141\"",
             "fork": "false",
             "full_name": "django-commons/django-valkey",
             "git_clone_url": "git://github.com/django-commons/django-valkey.git",
             "gitignore_template": null,
-            "has_discussions": false,
+            "has_discussions": true,
             "has_downloads": true,
             "has_issues": true,
             "has_projects": true,