-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add security steward on/offboarding steps #41129
Conversation
Signed-off-by: Michael Dawson <mdawson@devrus.com>
* Add them to the | ||
[jenkin-admins team](https://GitHub.com/orgs/nodejs/teams/jenkins-admins) | ||
in the GitHub nodejs org. This is needed for them to be able | ||
to lock/unlock the CI during a security release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't object to this, but this is a change -- currently locking/unlocking the CI for a security release is documented as being something to request the build team to do (see the template issue text for "Notify build-wg of upcoming security release date by opening an issue in nodejs/build to request WG members are available to fix any CI issues." in https://github.com/nodejs/node/blob/master/doc/guides/security-release-process.md).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok that makes sense to me. I'll remove that part for now.
I wonder if this should be either in the TSC repo as part of the Security-Team.md or else in the nodejs-private meta repo to go along with the Triage team onboarding information there. We're starting to fragment documentation that logically should be in one place. |
Although I guess the security release docs are here, so ¯\(ツ)/¯. Even if it's not as part of this PR, we should figure out a way to get all these docs in one place (or maybe two places if we need some private docs). |
Co-authored-by: Voltrex <mohammadkeyvanzade94@gmail.com>
Co-authored-by: Rich Trott <rtrott@gmail.com>
@Trott these security release process doc used to be in the security-wg repo when I originally wrote it. Sam moved it over to her due to the lack of visibility of participation over there. I think for now at least keeping this new doc in the same place make sense. |
@richardlau updated. |
@bengl @vdeturckheim I removed you from the jenkins-admins as @richardlau pointed out we ask the build team members to do the CI lock/unlock. |
Just to reiterate -- I'm not against the idea of expanding who can do the CI lock/unlock but that warrants its own discussion/issue/pull request as it will be a change to what has been done up to now. |
@richardlau that's the way I understood your comment as well. Just wanted to line up what I did with current practice. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to add a note about setting 2FA in H1?
Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
@Trott, added step to confirm they have 2FA enabled. |
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Landed in 13ee108 |
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: nodejs#41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #41129 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: Michael Dawson mdawson@devrus.com