Summary

Adds a new 👥 Team Repo Access IssueOps sample that allows users to request adding or removing a team's access to a repository through an issue-driven workflow with approval gates.

What's included

Issue Template (.github/ISSUE_TEMPLATE/team-ops.yml)

• Action: dropdown to choose add or remove
• Team Slug: the URL-friendly team name
• Repository: target repo name
• Permission: pull / triage / push / maintain / admin (applies to add only)
• Reason: free-text justification

Prepare Workflow (.github/workflows/team-ops-prepare.yml)

• Triggers on issue open with team-ops label
• Parses the issue body with issue-ops/parser
• Validates all inputs (action, team slug format, repo name format, permission)
• Renames the issue for consistency (e.g. Team Ops: Add my-team → org/repo (push))
• Posts instructions with a tamper-proof snapshot comment

Execute Workflow (.github/workflows/team-ops-execute.yml)

• Triggers on /execute-team-ops comment
• Re-parses and re-validates the issue body
• Verifies fields match the prepare snapshot (detects post-submission body edits)
• Requires /approve from approver-team via ApproveOps
• Calls teams.addOrUpdateRepoPermissionsInOrg or teams.removeRepoInOrg
• Labels the issue (team-added / team-removed) and closes it
• Posts success/failure comments

README Updates

• Added Team Repo Access to the solutions list
• Added team-ops, team-added, team-removed labels to the setup section
• Updated org-level permissions note (members: read/write)
• Added a Team Repo Access documentation section

Safeguards

• Input validation in bash (regex checks for team slug, repo name, action, permission)
• Tamper-proof snapshot verification (detects issue body modifications after submission)
• ApproveOps approval gate requiring approver-team membership
• github.event.issue.pull_request == null guard on execute workflow
• Env vars used to prevent script injection