My apologies, I read your post and understood the bot access part. However the timing of it sure as looked smelly to me, that's why I wrote "supposed".
I probably shouldn't have speculated it was all a set up, but even if it wasn't all kicked off with that intent, how it was then used sure was not ok. It reeked of trickery and deceit, which I construed as social engineering from that point of view - hope that makes sense (edit: #1).
Kudos on handling this, and hope you're doing well all considered. It was fantastic to read how you claimed the ownership back.
#1) that they requested "Yesterday we announced Foundation-wide Code of Conduct Enforcement. Part of making that work requires that the dnfadmin GitHub user has owner permissions to GitHub organizations."
No problem. I'm really just trying to keep the story straight.
The only issue I have with the timing is that I told them I was not comfortable with them as admin on the repo yet as soon as they were made admin (to fix the CLA bot, which happened to be only a week or so after my email) this happened. No social engineering necessary but really poor timing on top of non-existent communication.
I'm thinking the Oxford definition was used here by the author (ie tricked into giving up a password):
"(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."
I didn't really want to argue it any further as the issue was inflamed, but I absolutely think that when an account privilege was requested purely for "trivial thing A and we really really need it because think of the children", for it to then be used in the next breath for "evil thing B" - then what else is it but a more sophisticated social engineering attack? (I would certainly like to know if there's a better definition of it.)
For the benefit of the doubt there could very well be things going on in the background where the account access was discovered by someone else than those who requested it, and then jumped on the opportunity. However that's giving a fair bit of leeway.
We had a new repo where the CLA bot was not automatically working. I was busy with a deadline so to unblock the team, I granted admin access.
It wasn't social engineering. I did it. I just didn't realize what was going to happen after doing so.
I explain it all in the post.