Presently, the periodic invocation of sheriff that applies changes to resources is run via GCP Cloud Run Job and we would like to move this to a Github Action.

Pros: More transparent, easier debugging, easier for more people to help out.
Note also: we will continue to use Cloud Run for the Webhook listener that currently listens for GH Events.

I'm looking at using GitHub Environments on the sheriff repo settings to isolate gh-org-perm-sync invocations.

Proposing the creation of

a staging environment for dry runs
a production environment for real runs

If I can make this make sense from a sheriff maintainer point-of-view in terms of ease of use/maintenance, I will look at creating a development env if that is useful.

Note: GH Environments are for deployment purposes only.

MUTATE_REPO_PERMISSIONS set to false on both envs

Closing as we have stopped using Sheriff and are now using CLOWarden

For details on how CLOWarden works visit https://github.com/cncf/clowarden