Integrate with Crowdin using a special GitHub user

[zeke]

When configuring Crowdin to integrate with GitHub, we should use a GitHub user account that:

• is not tied to any individual
• has admin access to this repo. (write is not adequate)
• has no other special privileges in the @nodejs GItHub organization.

This way if Crowdin were compromised and our i18n user's token was obtained by a bad actor, the affected surface area would be minimal, i.e. just this repo would be vulnerable.

@bnb as I recall, you may have some prior experience with this. Is there a protocol for creating users like this?

[LaurentGoderre]

NodeJS has a bot. It may be sufficient for this usecase.

[bnb]

@zeke I believe we'd probably end up using @nodejs-github-bot, though another one could theoretically be created and added.

@MylesBorins @mhdawson @williamkapke Do y'all have any advice on how we could proceed with this in terms of next steps?

[zeke]

It looks like @obensource had the foresight to grab the nodejs project name on Crowdin: https://crowdin.com/project/nodejs -- we may need @Andrulko's help to switch ownership to whatever user we end up choosing.

[bnb]

Per a quick chat with @williamkapke, the bot deployment can be raised in an issue with the Node.js Build WG and, if approved by them, be pushed up to the TSC for any final concerns.

I'd like to posit that since this is a CommComm initiative, we put the final discussion with the TSC in the Admin repo.

[obensource]

@bnb sounds good. We can raise the issue in the Build WG & TSC Admin repo in order to get this discussion rolling. Hopefully we can figure out exactly which bot needs ownership soon and transfer my ownership over to it as @zeke mentioned. :)

[zeke]

This worked! We now have shared access. Thanks @rvagg 🙏

[zeke]

Re-opening this, as we have to wait for TSC approval to authorize Crowdin.

[zeke]

This happened! Thanks @Trott 💛