Reduce filecoin-project org ownership

[BigLep]

Done Criteria

1. Reduce org ownership to only a couple of people since "org owners" have the ability to impact the github org as a whole and every repo in the org (docs). This includes destructive one-way operations like repo deletion. These people should:
   1. be active in the filecoin-project org because they are more likely to make informed decisions and
   2. collectively represent multiple independent companies/teams.
2. Review/reduce who has push access to github-mgmt in the org, as that is an escalation path to "org ownership" as well. This translates to looking at the "github-mgmt stewards" team, since that team has push access to github-mgmt. This group should be:
   1. still small (5-8)
   2. active in the org because they are more likely to make informed decisions
   3. representative of multiple independent companies/teams
3. Give the "github-mgmt Stewards" team "moderator" and "security manager" roles.
4. There should be comments above each username that has "org owner like" permissions providing a justification.

Why Important

This is the lowest-hanging fruit to protect the filecoin-project org around overly generous permissions. We're obviously not seeking to restrict access to code itself, and this isn't about checking some box for "good OpSec". Some reasons we care about the OpSec here include:

1. We want to reduce the ability of malicious actors' ability to introduce vulnerabilities/bugs when they compromise a member's account.
2. We want to reduce the possibility that someone's account could be compromised and then destructive actions are taken like deleting repos.

Communication Channels

This issue and the connected PRs are intended to be the main communication channels.

Background

The filecoin-project org has accumulated a lot of permissions over the years. This was somewhat acceptable/mitigated in the past by Protocol Labs Inc being a single company. As Protocol Labs Inc moves to an innovation network of companies (related blog) and projects like Filecoin having more and more independent teams, we're overdue on cleaning up permissions and reevaluating past assumptions.

Notes

1. I don't think giving moderator and security operator roles to a team can be one through github-mgmt itself. For example, I don't see any useful docs when searching Terraform's docs. It would need to be a one-time action through the GitHub UI rather than through github-mgmt.
2. For reference, a similar campaign was done in IPFS earlier in 2024 per [Tracking Issue] "Interplanetary Stack" Github permissions cleanup 2024Q1 ipfs/ipfs#511
3. I went through all permissions listed in github org role docs and then listed how I think they could/should be handled (see the collapsed table at the bottom of [Tracking Issue] "Interplanetary Stack" Github permissions cleanup 2024Q1 ipfs/ipfs#511 (comment)).

## Tasks
- [x] Temporarily escalate @BigLep permissions so can view the [audit log](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) and give the moderator and security manager permissions to the newly created teams in https://github.com/filecoin-project/github-mgmt/pull/60
- [x] PR for proposing/doing the corresponding permissions changes including the related communication: https://github.com/filecoin-project/github-mgmt/pull/61
- [x] Give the "moderators" team moderator permissions.
- [x] Give the "security-managers" team security manager permissions
- [ ] ~Revoke @BigLep's escalated permissions~ Per #61, he is keeping permissions through 2024-12-31.
- [ ] https://github.com/filecoin-project/github-mgmt/issues/65

[BigLep]

While this captures my current thinking, I don't expect to take any action until this repo is made public per #45

[momack2]

I'm supportive of reducing org owners and also project admins - especially folks not actively involved in the day-to-day project today.

I'd propose moving these folks from "admin" to "member"
- anorth
- jbenet
- mishmosh
- protocolin

Would also propose moving these folks to security mgr + moderator
- arden-sead
- dr-bizz
- filecoin-helper
- galargh
- jmac-sead
- laurentsenta

Also, who is dr-bizz and do they need to be an admin?

cc @smagdali @jennijuju for feedback.

[smagdali]

can confirm that @dr-bizz is Daniel Bisgrove from SEAD (but I had to go check on slack).

Approve of this effort, but would like to pull in @relotnek from FF side.

[BigLep]

@momack2 and @smagdali : thanks for the feedback.

I put my proposal for reducing org ownership here: #61

I had just been planning to give "moderator" and "security manager" roles to the "github-mgmt Stewards" team, but I think it makes sense to have dedicated teams for each of these and for now to have moderators include Sead folks and security managers include FF security folks. I'll make that change now.

[BigLep]

Give the "moderators" team moderator permissions.
Done

Give the "security-managers" team security manager permissions
Done