Request permission to create personal and Jenkins tokens for github-bot add Secrets to nodejs/reliability and nodejs/node

[mmarchini]

I noticed we don't have a policy to create tokens for github-bot nor do we have a policy to add Secrets (which are used by Actions) to repositories, so I'll assume the same requirements we have for creating GitHub Apps (because functionally creating token + adding secrets is similar to creating an App). This issue bundles a few requests:

For nodejs/reliability

• Create a Jenkins token for @nodejs-github-bot
• Create a personal GitHub token for @nodejs-github-bot with repo.public_repo and user.read:user scopes
• Add those secrets to the nodejs/reliability repository: JENKINS_TOKEN (with the Jenkins token generated above), USER_TOKEN (with the personal access token generated above) and USER_NAME (with nodejs-github-bot)

These tokens will be used by the nodejs/reliability Actions to generate daily reports of all failures in our CI. The reports are generated via ncu-ci.

Ref: nodejs/reliability#24 and nodejs/reliability#25

For nodejs/node

• Create a Jenkins token for @nodejs-github-bot
• Create a personal GitHub token for @nodejs-github-bot with repo.public_repo and user.read:user scopes
• Add those secrets to the nodejs/reliability repository: JENKINS_TOKEN (with the Jenkins token generated above), GH_USER_TOKEN (with the personal access token generated above) and GH_USER_NAME (with nodejs-github-bot)

These tokens will be available for any Actions running on nodejs/node, except for Actions running on the scope of Pull Requests from forks (so a PR with a malicious actions does not have access to those tokens). Initially, these tokens are intended to be used on Commit Queue and Start CI via Label Actions, but it will be available for other Actions as well.

Ref: Commit Queue and Start CI via Label (both PRs are blocked until the Secrets are added to the repository).

cc @nodejs/tsc @nodejs/community-committee

[gireeshpunathil]

+1

[mmarchini]

In theory this requires two approvals from TSC and CommComm (per our GitHub management policy), although until yesterday the policy for adding secrets was unspecified. So ping @nodejs/tsc @nodejs/community-committee.

[mhdawson]

+1

[mmarchini]

Sorry for the constant pings, but this still needs two other approvals per our policy. @nodejs/tsc @nodejs/community-committee

[bnb]

+1, no apology necessary <3

[addaleax]

+1

[ahmadawais]

+1

[mmarchini]

Thanks! I started to add the secrets, but apparently github-bot doesn't have all the permissions it needs on Jenkins (nodejs/reliability#26). I'll wait until we add those permissions to it before finishing this task.

[mmarchini]

All secrets were added.