Add team_permissions support to repository

[WolfgangFischerEtas]

This pull request introduces first‑class support for managing GitHub team permissions directly within the Repository model in Otterdog. A new optional field has been added:
team_permissions: dict[str, str] | None

Purpose and Scope

The new team_permissions attribute allows repository configurations to define which teams should have which permission levels on a repository. This makes team–repository permission management a declarative part of the repository specification and aligns Otterdog more closely with GitHub’s permission model.

Behavior During Repository Creation and Updates

• When a repository is created, any defined team_permissions are applied immediately after the repository has been created.
• When a repository is updated, Otterdog detects changes to team_permissions and applies the necessary permission updates.
• Updates include adding, removing, or modifying team permissions on the repository.
• No repositories or teams are created as part of this process; only the permission relationships are updated.

GitHub API Integration

• Permission updates are executed through one or more GraphQL requests.
• Permission names used in GraphQL are automatically translated into REST‑compatible permission names to ensure consistent behavior across GitHub APIs.
• New GraphQL queries were added to retrieve team–repository permission relationships with only one or a couple of calls.

Schema and JSONNET Output Enhancements

• The JSON schemas have been extended to include the new team_permissions field.
• A dedicated schema for team permissions has been added.
• JSONNET output has been updated to correctly quote dictionary keys that may contain characters such as -.

Example configuration entry as part of repository:

team_permissions+: {
  "git-admins": "admin",
  "members": "push",
  "viewers": "pull",
},

[netomi]

@WolfgangFischerEtas can you allow maintainers to edit the PR?

[AlexanderLanin]

@WolfgangFischerEtas can you allow maintainers to edit the PR?

Unfortunately, we cannot do that.

We have to use etas-contrib for contributions (for legal reasons), and since that is an organization-owned fork, GitHub does not allow granting maintainer write access to the PR branch.

So “maintainers can fix the PR” is not possible in this setup.

We can use whatever workaround you prefer, e.g.:

• merge to a staging branch,
• you create a follow-up PR based on our branches,
• what I've personally seen in many projects, is to merge and then fix small things afterwards on main, if that’s easier than iterating on the PR.

[netomi]

ok I see, then I will test it out differently and provide my review comments.

[netomi]

I tested the PR and it works fine, a few small remarks to get this PR ready to be merged:

• please rebase to the latest changes in main
• add a changelog entry
• update the file example/template/otterdog-defaults.jsonnet to include the new team_permissions setting with a default of {} to that one can easily test it out.
• apply the attached patch which will add handling if team_permissions is not specified in the default config so its omitted from processing

team_permissions.patch

[WolfgangFischerEtas]

@netomi:
I’ve addressed all the points you mentioned:

• rebased the branch onto the latest main
• added a changelog entry
• updated example/template/otterdog-defaults.jsonnet to include the new team_permissions setting with a default of {} so it’s easy to try out
• applied the provided team_permissions.patch so that team_permissions is properly omitted from processing when it’s not specified in the default config

While integrating this, I also had to deal with a few typing-related edge cases around _Unset. In particular, once _Unset became part of the effective union type, mypy required explicit type narrowing before accessing dict methods. The final solution uses an explicit isinstance(..., dict) check, which keeps mypy and Ruff both happy.

Please let me know if you see anything else that should be adjusted — otherwise I believe this PR should be ready to merge now.

[netomi]

you should not add _Unset as type for the team_permissions field. In fact all properties can also be unset, its not explicitly specified though. I will go ahead and merge the PR as is and fix that afterwards, ty for the contribution