Add @nodejs-github-bot to @nodejs/collaborators
#536
Comments
|
@richardlau do you know if making the |
|
I’m not sure. https://issues.jenkins-ci.org/browse/JENKINS-44920 suggests it should work, https://issues.jenkins-ci.org/browse/JENKINS-63051 claims it does not. |
|
The user page in Jenkins shows the groups the user is in as far as Jenkins is concerned, e.g. https://ci.nodejs.org/user/nodejs-github-bot/
|
|
Guess we can try it, and if adding as subteam doesn't work we can add the bot to collaborators directly |
|
Adding it to the sub-team makes sense to me unless we'd want to remove access for collaborators when doing as security release but still have the bots work. |
|
(fwiw, brought up in the build team wg meeting and no one had objections to testing it out) |
|
I'll go ahead and add the bots team as a subteam of collaborators to test if that's enough. If it doesn't work I'll add github-bot as a collaborator and try again. Will keep this open until next Monday in case anyone has any objections. |
|
List of repositories the bot will gain write access when added to the collaborators team:
GitHub lists all repositories not only the ones the bot will be given new access (for example, it already have write permission on nodejs/node), so I'm not sure which of these teams we'll be granting new access. |
|
I added the bot as both a subteam and a direct member of collaborators, and it still doesn't have permission to start CI:
I'm also getting 403 when trying via API calls. FWIW the issue we found on reliability was different and increasing permissions for the bot was not necessary to fix it (needed to use the github user name instead of the bot email to authenticate to jenkins via API call with token). But we still need to increase bot permissions to start CI if we want to move forward with nodejs/node#34089. |
|
@nodejs/build Any idea on the CI problem above? |
|
@mmarchini as an experiment have you tried adding the the permissions in the matrix for the GitHub bot user to see if that works or not? That would clarify whether it is an issue with the permissions or how they are being assigned to the GitHub bot. |
|
I'm not a Jenkins admin so I can't do that, I'm happy to check if someone makes the changes in the matrix |
|
Did someone add the bot to the matrix? it seems to be working now |
|
Ok, the bot seems able to start CI when the |
|
Just so others don't try to do it, when I tried to remove the
I thought it was just bad naming on the buttons, but to be sure I tested it on another org with a test team first, and the buttons are right: trying to remove a team from being a subteam of another team will result in the first team being deleted :/ @Trott mentioned he would prefer for the bot user to be added directly to collaborators since in the past we had other bots on the |
So you tried it after bots was removed but github-bot was added as a to the collaborators team? I'm astonished that wouldn't work. Why would someone on a subteam have more permissions than someone directly on the team? So strange.... |
|
The answer to the "Why can't I disassociate the subteam rather than deleting it?!" question: Go the subteam's settings and there's a pull down for Parent Team. Select "Clear selected value" and that should make it not have a parent team anymore. |
|
Disassociate the subteam and addded the bot account directly to Collaborators :) |
|
This was done and the world didn't end, so closing |
As per nodejs/reliability#26, our bot doesn't have the necessary permission to interact with Jenkins via
node-core-utils, which prevents it from generating CI failure reports and later will prevent it from starting CI. @richardlau suggested we add the bot to@nodejs/collaboratorsbecause Jenkins doesn't have a good UI experience for the lockdown during security releases. The bot already has the same write permissions as the collaborators team to to nodejs/node, so there should be no concerns there. It will get extra write permissions tonodejs/node-auto-test, which IMO is a good thing. Not sure if it would give more permissions and I can't find an easy way to check it via GitHub interface.This is not a collaborator nomination, so I believe this is the appropriate repository to discuss/request permission. cc @nodejs/tsc @nodejs/community-committee @nodejs/jenkins-admins
The text was updated successfully, but these errors were encountered: