I'd like to write a little automation to verify that https://hg.mozilla.org/build/tools/raw-file/default/buildfarm/maintenance/production-branches.json's notion of the access level for a repo matches the actual repo configuration, but currently that requires an SSH key. Can I get that information made available via an HTTP call of some sort? Given that, I can in fact drop the access-level information from production-branches.json.
The thing making this complicated is that permissions are gated on group ownership of directories on the ssh server. The HTTP servers have independent copies of the repos and all repos are owned by the same user/group. So to implement this we need a way for the hgweb/HTTP machines to know about the group owner from the hgssh/SSH machine. That likely requires some custom wire protocol hackery so it is downloaded as part of `hg pull`. We have some mechanisms in place for e.g. replicating the clonebundles.manifest file. We can piggyback on that. Alternatively, we could stuff something into hgrc, rely on existing replication of that file's content, and expose the value on hgweb. But the hgrc file can get stale and not reflect reality. Another related feature request is the ability to know which hooks are enabled for a repo. There's a very old bug on file for that.
Maybe there's something that compares hgrc to the group ownership periodically?