Changelog

Enforce Minimum Standards Campaign

by: Francisco Pereira

As Flutter-Global continues to mature, we’re doubling down on the practices that keep our shared ecosystem secure, sustainable, and easy to collaborate in. As part of our Enforce Minimum Standards Campaign, we’re placing a special emphasis on two high-impact areas:

  • Owners backfill: ensuring every capability has a clear, accountable owner.
  • Removing unsafe-admins: eliminating direct user-admin access unless the account is a managed service account.

These actions strengthen our governance, reduce operational risk, and make it easier to maintain consistency across the org.

Why focus on these now?

  • Clear ownership accelerates decision-making, improves incident response, and ensures standards are applied consistently.
  • Removing unsafe-admins closes a significant security gap. Admin access should be rare, auditable, and bound to organizational controls—service accounts provide exactly that.

What we’ll enforce (summary)

For Flutter-Global capabilities

  • _defaults.yml
    • owner: Required and set to the precalculated owner.
    • admins.users: If present, must be members of the service-accounts team.
  • Repository config
    • admins.users: If present, must be members of the service-accounts team.

How the process works

  • Automated PRs: We will open PRs for each capability in the org-config repository to apply the changes or to confirm compliance.
  • Owner backfill: Where owner is missing (Flutter-Global), the PR will set it to the precalculated owner.
  • Unsafe-admins cleanup: PRs will remove direct user admins unless they belong to the service-accounts team.

What you need to do

  • Review your PRs promptly and confirm the changes.
  • If you have another owner suggestion, please align with the appropriate person and make the change directly in the PR.

Benefits

  • Stronger security posture: admin access becomes controlled, auditable, and limited.
  • Clear accountability: every capability has a responsible owner.

Timeline

  • 3rd February: Initial communication
  • 17th February: PRs are opened for all capabilities that do not meet the above standards.
  • 24th February: Follow-up communications
  • 3rd March: Force-merge the PRs that are still opened.

Support

  • Slack: #inner-source for guidance and support.
by: Francisco Pereira
in:
category: Changelog