-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bot deployment, access, & permission #23
Comments
Since the build group runs and maintains most infra for Node.js I think this would be a good fit. Ultimately, I'd like to see an automatic deployment strategy if the active contributors in here deem it stable enough. Edit: the benefit of having the build group managing it is also that there is an established trust for things like secrets and access. |
We could probably have this just deploy like the website, where |
Oh true, because of write perms for labels. I don't actually think it's the hugest deal. All the repos are git, anything you could do is pretty easily recoverable (besides deleting user comments strangely enough). If we want it to be secure: we should make it check gpg keys for signed git tag(s). |
Also likely needs elevated access to jenkins. |
Hmmm, #29 would need owner GitHub org access. Perhaps it would be better to do that bit though a separate proxy or something so that we don't need to be as worried? |
@Fishrock123 could you elaborate on what a separate proxy means in detail/what it would do in practice, and why that would make it safer than just providing this bot with GH org access? |
I just moved the bot repo to the org 👯 edit: gave access to everyone in the build WG for now |
All of the tasks listed have been completed! 🎉 Closing. |
ATM, the bot is deployed manually by @phillipj to his dokku account while we get it started.
The bot account needs significant org permissions to perform some of it's actions. This access means PRs needs to be carefully reviewed and scrutinized for security before deployment.
We will probably want to:
/cc @mikeal
The text was updated successfully, but these errors were encountered: