Add `@nodejs-github-bot` to `@nodejs/collaborators`

[mmarchini]

As per nodejs/reliability#26, our bot doesn't have the necessary permission to interact with Jenkins via node-core-utils, which prevents it from generating CI failure reports and later will prevent it from starting CI. @richardlau suggested we add the bot to @nodejs/collaborators because Jenkins doesn't have a good UI experience for the lockdown during security releases. The bot already has the same write permissions as the collaborators team to to nodejs/node, so there should be no concerns there. It will get extra write permissions to nodejs/node-auto-test, which IMO is a good thing. Not sure if it would give more permissions and I can't find an easy way to check it via GitHub interface.

This is not a collaborator nomination, so I believe this is the appropriate repository to discuss/request permission. cc @nodejs/tsc @nodejs/community-committee @nodejs/jenkins-admins

[mmarchini]

@richardlau do you know if making the @nodejs/bots team a subteam of collaborators would work? for Jenkins permissions?

[richardlau]

I’m not sure. https://issues.jenkins-ci.org/browse/JENKINS-44920 suggests it should work, https://issues.jenkins-ci.org/browse/JENKINS-63051 claims it does not.

[richardlau]

The user page in Jenkins shows the groups the user is in as far as Jenkins is concerned, e.g. https://ci.nodejs.org/user/nodejs-github-bot/

Jenkins User ID: nodejs-github-bot
Groups:

• nodejs
• nodejs*automation-collaborators
• nodejs*Bots

[mmarchini]

Guess we can try it, and if adding as subteam doesn't work we can add the bot to collaborators directly

[mhdawson]

Adding it to the sub-team makes sense to me unless we'd want to remove access for collaborators when doing as security release but still have the bots work.

[jbergstroem]

(fwiw, brought up in the build team wg meeting and no one had objections to testing it out)

[mmarchini]

I'll go ahead and add the bots team as a subteam of collaborators to test if that's enough. If it doesn't work I'll add github-bot as a collaborator and try again. Will keep this open until next Monday in case anyone has any objections.

[mmarchini]

List of repositories the bot will gain write access when added to the collaborators team:

• nodejs/wasi
• nodejs/gyp-next
• nodejs/webcrypto
• nodejs/promises-debugging
• nodejs/reliability
• nodejs/promise-use-cases
• nodejs/node-auto-test
• nodejs/node-v8
• nodejs/vm
• nodejs/node-chakracore
• nodejs/moderation
• nodejs/help
• nodejs/code-and-learn
• nodejs/node-convergence-archive
• nodejs/node
• nodejs/node-v0.x-archive

GitHub lists all repositories not only the ones the bot will be given new access (for example, it already have write permission on nodejs/node), so I'm not sure which of these teams we'll be granting new access.

[mmarchini]

I added the bot as both a subteam and a direct member of collaborators, and it still doesn't have permission to start CI:

I'm also getting 403 when trying via API calls.

FWIW the issue we found on reliability was different and increasing permissions for the bot was not necessary to fix it (needed to use the github user name instead of the bot email to authenticate to jenkins via API call with token). But we still need to increase bot permissions to start CI if we want to move forward with nodejs/node#34089.

[Trott]

@nodejs/build Any idea on the CI problem above?

[mhdawson]

@mmarchini as an experiment have you tried adding the the permissions in the matrix for the GitHub bot user to see if that works or not? That would clarify whether it is an issue with the permissions or how they are being assigned to the GitHub bot.

[mmarchini]

I'm not a Jenkins admin so I can't do that, I'm happy to check if someone makes the changes in the matrix

[mmarchini]

Did someone add the bot to the matrix? it seems to be working now

[mmarchini]

Ok, the bot seems able to start CI when the @nodejs/Bots team is a subteam of @nodejs/collaborators (good, because I'm not sure we can remove a team from the subteams list of another team).

[mmarchini]

Just so others don't try to do it, when I tried to remove the @nodejs/Bots team from being a subteam of @nodejs/collaborators, I got these messages:

I thought it was just bad naming on the buttons, but to be sure I tested it on another org with a test team first, and the buttons are right: trying to remove a team from being a subteam of another team will result in the first team being deleted :/

@Trott mentioned he would prefer for the bot user to be added directly to collaborators since in the past we had other bots on the @nodejs/bots team, but unfortunately that won't be possible.