Skip to content

Latest commit

 

History

History
55 lines (42 loc) · 3.03 KB

request-an-access-token.md

File metadata and controls

55 lines (42 loc) · 3.03 KB
Raw

Request a nodejs-github-bot token

Automation in the nodejs GitHub Organization may require access tokens to access permission scoped endpoints. In the case of such requirement, the access token can be requested to be created under the name of @nodejs-github-bot.

Creating classic tokens for @nodejs-github-bot is not permitted, only fine-grained tokens are allowed.

To create a fine-grained access token for @nodejs-github-bot, follow the steps as:

  1. Submit a PR to add the requested repo in the registry below, and describe expected permission scopes.
  2. A TSC member or a build WG member (who has access to the @nodejs-github-bot account) needs to take following action:
    1. Create the fine-grained token at https://github.com/settings/personal-access-tokens/new in the account @nodejs-github-bot, with "Resource owner" to be nodejs, "Only select repositories" to be the requested repository, and requested permission scopes only.
    2. Save the token as a repository secret at https://github.com/<org>/<repo>/settings/secrets/actions, do not reveal the token to the anyone in plaintext.
    3. If necessary, grant write access to @nodejs-github-bot at https://github.com/<org>/<repo>/settings/access.
    4. Land the PR.

Fine-grained tokens created with access to https://github.com/nodejs resources will be audited at https://github.com/organizations/nodejs/settings/personal-access-tokens/active.

Registry

The "repo" is a string of the GitHub <owner>/<repo>. Generally, the token should only be created for repo in the https://github.com/nodejs organization.

The "secret name" is a string that the secret can be referenced in the GitHub Action scripts. Like a secret name of RELEASE_PLEASE_TOKEN can be accessed from the script as ${{ secrets.RELEASE_PLEASE_TOKEN }}.

The "expiration date" is the date before which the token should be renewed and replaced. This should be no longer than 1 year.

The "pull request" is the PR that initially requested the token, or requested permission scope changes. The PR should describe the permission scopes requested.

Repo Secret name Expiration date Pull Request
nodejs/import-in-the-middle RELEASE_PLEASE_GITHUB_TOKEN 2025-07-23 #902
nodejs/node-core-utils RELEASE_PLEASE_GITHUB_TOKEN 2025-09-01 #915
nodejs/wasm-builder RELEASE_PLEASE_GITHUB_TOKEN 2025-10-01 #926