Update commit queue token permission

[aduh95]

I've been trying to update the CQ to make it able to "purple-merge" PRs with the CQ. Before that, the CQ was using two tokens:

• @nodejs-github-bot's token to push the commits (@nodejs-github-bot is part of @nodejs/collaborators)
• GITHUB_TOKEN provided by @github-actions to comment/close on PRs

GITHUB_TOKEN is not allowed to merge PRs because it's not part of @nodejs/collaborators, so @targos tried to use @nodejs-github-bot's token to run the CQ. Unfortunately this didn't work:

GraphQL error: Your token has not been granted the required scopes to execute this query. The 'login' field requires one of the following scopes: ['read:org'], but your token has only been granted the: ['read:user', 'repo', 'user:email', 'workflow'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.

https://github.com/nodejs/node/runs/4131235476?check_suite_focus=true

Originally posted by @aduh95 in nodejs/node#40742 (comment)

I'm asking for permission to update the permissions to make the Commit Queue work correctly:

• read:org
• notifications

For info, the current permissions for this token are ['read:user', 'repo', 'user:email', 'workflow'].

[aduh95]

admin/GITHUB_ORG_MANAGEMENT_POLICY.md

Lines 129 to 136 in 87bc406

	For GitHub Apps already used in the Org, or for secrets already used in other
	repositories in the Org, the request can be fast-tracked. To fast-track, add
	the `fast-track` label to the request, and leave a comment which must contain:
	a) a link showing how the GitHub App or the secret being requested is already
	in use, and b) ask for approvals to fast-track the request. Two members of
	either TSC or CommComm must approve the fast track request. Fast-tracked
	requests only need one approval from either TSC or CommComm is required, and
	the request must remain open for 72 hours.

Link to the CQ: https://github.com/nodejs/node/runs/4131235476?check_suite_focus=true

The app being already in use, asking for a fast-tracking this request. Please 👍 this comment to approve.

[targos]

Why do we need notifications?
Who can make the change (we should mention them)?

[aduh95]

Why do we need notifications?

I'm not sure we need it, I've added it because of this sentence in GH REST API docs:

Merge a pull request
This endpoint triggers notifications.
Source: https://docs.github.com/en/rest/reference/pulls#merge-a-pull-request

It may or may not be necessary, but given the delay of 72 hours for the fast-tracked change to be approved, I thought adding it to the list would not hurt. We should try to only add read:org to that token and see if that's sufficient for the CQ, and only add notification if it is indeed required.

Who can make the change (we should mention them)?

Maybe @mmarchini can help with that?

[targos]

/cc @nodejs/tsc

[targos]

Ping @nodejs/tsc

[Trott]

Ping @nodejs/tsc

I 👍'ed the fast-track request. Is there anything else TSC should be doing with this?

[targos]

I think two 👍🏻 are enough. Now the difficult part will be to find someone who can do the change.

[aduh95]

I think anyone that has access to the @nodejs-github-bot GitHub account should be able to do that – the README mentions a 1password account, probably the credentials are there (I don't have access to it AFAIK).

admin/README.md

Lines 48 to 50 in 87bc406

	## Node.js 1Password
	Thanks to 1Password's [open-source program](https://github.com/1Password/1password-teams-open-source), Node.js has been comped a paid version of 1Password.

[Trott]

I think anyone that has access to the @nodejs-github-bot GitHub account should be able to do that

@nodejs/github-bot

[phillipj]

For future ref, credentials to the github-bot account is in the secrets repo. I'll try to adjust the token as described above, before the weekend.

…

On Wed, 10 Nov 2021 at 23:49, Rich Trott ***@***.***> wrote: I think anyone that has access to the @nodejs-github-bot <https://github.com/nodejs-github-bot> GitHub account should be able to do that @nodejs/github-bot <https://github.com/orgs/nodejs/teams/github-bot> — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#640 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJMWEY4XKK7CVGHZ5SOFPTULLZFXANCNFSM5HQ423CA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[phillipj]

@aduh95 try again now?

[aduh95]

Just tried, and it works: https://github.com/nodejs/node/runs/4194822955?check_suite_focus=true 🎉 thanks a lot!