Description
I noticed we don't have a policy to create tokens for github-bot nor do we have a policy to add Secrets (which are used by Actions) to repositories, so I'll assume the same requirements we have for creating GitHub Apps (because functionally creating token + adding secrets is similar to creating an App). This issue bundles a few requests:
For nodejs/reliability
- Create a Jenkins token for
@nodejs-github-bot - Create a personal GitHub token for
@nodejs-github-botwithrepo.public_repoanduser.read:userscopes - Add those secrets to the
nodejs/reliabilityrepository:JENKINS_TOKEN(with the Jenkins token generated above),USER_TOKEN(with the personal access token generated above) andUSER_NAME(withnodejs-github-bot)
These tokens will be used by the nodejs/reliability Actions to generate daily reports of all failures in our CI. The reports are generated via ncu-ci.
Ref: nodejs/reliability#24 and nodejs/reliability#25
For nodejs/node
- Create a Jenkins token for
@nodejs-github-bot - Create a personal GitHub token for
@nodejs-github-botwithrepo.public_repoanduser.read:userscopes - Add those secrets to the
nodejs/reliabilityrepository:JENKINS_TOKEN(with the Jenkins token generated above),GH_USER_TOKEN(with the personal access token generated above) andGH_USER_NAME(withnodejs-github-bot)
These tokens will be available for any Actions running on nodejs/node, except for Actions running on the scope of Pull Requests from forks (so a PR with a malicious actions does not have access to those tokens). Initially, these tokens are intended to be used on Commit Queue and Start CI via Label Actions, but it will be available for other Actions as well.
Ref: Commit Queue and Start CI via Label (both PRs are blocked until the Secrets are added to the repository).
cc @nodejs/tsc @nodejs/community-committee