Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update commit queue token permission #640

Closed
aduh95 opened this issue Nov 7, 2021 · 12 comments
Closed

Update commit queue token permission #640

aduh95 opened this issue Nov 7, 2021 · 12 comments
Labels
fast-track Fast tracked requests

Comments

@aduh95
Copy link
Contributor

aduh95 commented Nov 7, 2021
edited
Loading

I've been trying to update the CQ to make it able to "purple-merge" PRs with the CQ. Before that, the CQ was using two tokens:

GITHUB_TOKEN is not allowed to merge PRs because it's not part of @nodejs/collaborators, so @targos tried to use @nodejs-github-bot's token to run the CQ. Unfortunately this didn't work:

GraphQL error: Your token has not been granted the required scopes to execute this query. The 'login' field requires one of the following scopes: ['read:org'], but your token has only been granted the: ['read:user', 'repo', 'user:email', 'workflow'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.

https://github.com/nodejs/node/runs/4131235476?check_suite_focus=true

Originally posted by @aduh95 in nodejs/node#40742 (comment)

I'm asking for permission to update the permissions to make the Commit Queue work correctly:

  • read:org
  • notifications

For info, the current permissions for this token are ['read:user', 'repo', 'user:email', 'workflow'].
@aduh95 aduh95 added the fast-track Fast tracked requests label Nov 7, 2021
@aduh95
Copy link
Contributor Author

aduh95 commented Nov 7, 2021

admin/GITHUB_ORG_MANAGEMENT_POLICY.md

Lines 129 to 136 in 87bc406

For GitHub Apps already used in the Org, or for secrets already used in other
repositories in the Org, the request can be fast-tracked. To fast-track, add
the `fast-track` label to the request, and leave a comment which must contain:
a) a link showing how the GitHub App or the secret being requested is already
in use, and b) ask for approvals to fast-track the request. Two members of
either TSC or CommComm must approve the fast track request. Fast-tracked
requests only need one approval from either TSC or CommComm is required, and
the request must remain open for 72 hours.

Link to the CQ: https://github.com/nodejs/node/runs/4131235476?check_suite_focus=true

The app being already in use, asking for a fast-tracking this request. Please 👍 this comment to approve.

@targos
Copy link
Member

targos commented Nov 7, 2021

Why do we need notifications?
Who can make the change (we should mention them)?

@aduh95
Copy link
Contributor Author

aduh95 commented Nov 7, 2021

Why do we need notifications?

I'm not sure we need it, I've added it because of this sentence in GH REST API docs:

Merge a pull request
This endpoint triggers notifications.
Source: https://docs.github.com/en/rest/reference/pulls#merge-a-pull-request

It may or may not be necessary, but given the delay of 72 hours for the fast-tracked change to be approved, I thought adding it to the list would not hurt. We should try to only add read:org to that token and see if that's sufficient for the CQ, and only add notification if it is indeed required.

Who can make the change (we should mention them)?

Maybe @mmarchini can help with that?

@targos
Copy link
Member

targos commented Nov 8, 2021

/cc @nodejs/tsc

@targos targos mentioned this issue Nov 8, 2021
Closed
@targos
Copy link
Member

targos commented Nov 10, 2021

Ping @nodejs/tsc

@Trott
Copy link
Member

Trott commented Nov 10, 2021

Ping @nodejs/tsc

I 👍'ed the fast-track request. Is there anything else TSC should be doing with this?

@targos
Copy link
Member

targos commented Nov 10, 2021

I think two 👍🏻 are enough. Now the difficult part will be to find someone who can do the change.

@aduh95
Copy link
Contributor Author

aduh95 commented Nov 10, 2021

I think anyone that has access to the @nodejs-github-bot GitHub account should be able to do that – the README mentions a 1password account, probably the credentials are there (I don't have access to it AFAIK).

admin/README.md

Lines 48 to 50 in 87bc406

## Node.js 1Password
Thanks to 1Password's [open-source program](https://github.com/1Password/1password-teams-open-source), Node.js has been comped a paid version of 1Password.

@Trott
Copy link
Member

Trott commented Nov 10, 2021

I think anyone that has access to the @nodejs-github-bot GitHub account should be able to do that

@nodejs/github-bot

@phillipj
Copy link
Member

phillipj commented Nov 11, 2021 via email

@phillipj
Copy link
Member

Screenshot 2021-11-12 at 22 39 47

@aduh95 try again now?

@aduh95
Copy link
Contributor Author

aduh95 commented Nov 12, 2021

Just tried, and it works: https://github.com/nodejs/node/runs/4194822955?check_suite_focus=true 🎉 thanks a lot!

@aduh95 aduh95 closed this as completed Nov 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fast-track Fast tracked requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Trott @phillipj @targos @aduh95