From 493980da27114d77915ccbf8405605b979793da9 Mon Sep 17 00:00:00 2001 From: Chengzhong Wu Date: Wed, 17 Jul 2024 04:44:29 +0800 Subject: [PATCH 1/2] doc: document how to request a token with github-nodejs-bot Document how to request a fine-grained token with github-nodejs-bot's name. After this landed, github-nodejs-bot tokens that are not fine-grained tokens like https://github.com/nodejs/docker-node/blob/main/.github/workflows/automatic-updates.yml#L28 may be updated to be fine-grained tokens. --- request-an-access-token.md | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 request-an-access-token.md diff --git a/request-an-access-token.md b/request-an-access-token.md new file mode 100644 index 0000000..7fc490a --- /dev/null +++ b/request-an-access-token.md @@ -0,0 +1,42 @@ +# Request a nodejs-github-bot token + +Automation in the `nodejs` GitHub Organization may require access tokens to +access permission scoped endpoints. In the case of such requirement, the access +token can be requested to be created under the name of [`@nodejs-github-bot`][]. + +Creating classic tokens for [`@nodejs-github-bot`][] is not permitted, only +fine-grained tokens are allowed. + +To create a fine-grained access token for [`@nodejs-github-bot`][], follow the +steps as: + +1. Submit a PR to add the requested repo in the registry below, and describe + expected permission scopes. +1. A TSC member or a build WG member (who has access to the [`@nodejs-github-bot`][] + account) needs to take following action: + 1. Create the fine-grained token at https://github.com/settings/personal-access-tokens/new + in the account [`@nodejs-github-bot`][], with "Resource owner" to be + `nodejs`, "Only select repositories" to be the requested repository, + and requested permission scopes only. + 1. Save the token as a repository secret at `https://github.com///settings/secrets/actions`, + do not reveal the token to the anyone in plaintext. + 1. Land the PR. + +Fine-grained tokens created with access to https://github.com/nodejs resources will +be audited at https://github.com/organizations/nodejs/settings/personal-access-tokens/active. + +## Registry + +The "repo" is a string of the GitHub `/`. Generally, the token should +only be created for repo in the https://github.com/nodejs organization. + +The "secret name" is a string that the secret can be referenced in the GitHub Action +scripts. Like a secret name of `RELEASE_PLEASE_TOKEN` can be accessed from the script +as `${{ secrets.RELEASE_PLEASE_TOKEN }}`. + +Repo | Secret name +--- | --- +nodejs/import-in-the-middle | RELEASE_PLEASE_GITHUB_TOKEN + + +[`@nodejs-github-bot`]: https://github.com/nodejs-github-bot From a03e2cc8b0dac5b846ade073ca8bcd0241a263c7 Mon Sep 17 00:00:00 2001 From: Chengzhong Wu Date: Wed, 17 Jul 2024 04:47:51 +0800 Subject: [PATCH 2/2] Update README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index caf864b..2ffe224 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,10 @@ Groups are created in 1Password with a 1:1 mapping of Node.js organization teams - **Social Team:** For the [Social Team](#social-team) to contain official account credientials. +## @nodejs-github-bot + +Follow the steps in [request-an-access-token](./request-an-access-token.md) to request an access token under the name of [`@nodejs-github-bot`][]. + ## Node.js Project Calendar A calendar of the project's meetings can be found at: @@ -79,3 +83,5 @@ This list should be reviewed and pruned annually (at minimum). The calendar has - [@MylesBorins](https://github.com/MylesBorins) - **Myles Borins** - [@ruyadorno](https://github.com/ruyadorno) - **Ruy Adorno** - [@trott](https://github.com/trott) - **Rich Trott** + +[`@nodejs-github-bot`]: https://github.com/nodejs-github-bot