Shared credentials #441
Comments
|
Seems reasonable to make a bot account in the pkgjs org, and make a token for it? credentials can be stored in node’s 1Password, and won’t likely be needed anyways beyond initial setup. |
|
The build wg uses dotgpg to protect secrets but a private repo is used as well. |
|
There is an OpenJS Foundation lastpass account as well I think. This would be a great service for the foundation to offer IMO. I seem to remember hearing that another password app had free premium accounts for OSS projects, but I don't remember the name. |
dominykas
added
the
package-maintenance-agenda
|
@brianwarner is this something we can use the Foundation lastpass account for? |
this may have been the one that youre thinking of, since 1Password is one of the more popular managers: https://github.com/1Password/1password-teams-open-source |
|
Yes definitely, find me on slack and we can coordinate on escrowing the credentials. We have LastPass Enterprise, and I can share creds out to anyone who uses the free version. |
Are there org level bot accounts available in GH? I thought they only have real user accounts? Which means that it's not just the password that needs to be shared, but it also needs to be associated with an email... That said, I created the @wiby-bot account (strictly speaking, in violation of GH rules, as they only allow one bot account per person, and I already have one) to unblock myself and we can sort out the details later.
The account is necessary to be able to generate PATs. Adding access in new repos would usually require new tokens (as we shouldn't be keeping them backed up and they're not readable once saved as secrets), which means logging in again, while not frequent, will be necessary. |
|
For email we can PR into https://github.com/nodejs/email/blob/master/iojs.org/aliases.json a new alias called: package-maintenance-admin-members for an email. |
dominykas
removed
the
package-maintenance-agenda
As part of work on
wiby, I'll need to use a bot account - I do not want to add my personal token to the repo secrets, because there is no way to restrict tokens to a subset of repos.wibyneeds push (only push, not merge) access to the dependent repos (or their forks) to be able to kick off the tests (i.e. the test repos under thewiby-testorg). We'll also be able to use that token to kick off the integration tests.I figure that I should probably not be the only one with access to that bot account - but that leaves us with a problem of sharing credentials.
Any opinions on how to best do this? Would folks trust sops enough to keep the encrypted secrets in a repo? Possibly even a public one? I keep my PGP key on a Yubikey, not sure what everyone else does.
If we can make some decisions here, we can maybe also document some practices for others?
The text was updated successfully, but these errors were encountered: