| 18 Feb 2026 |
 hexa (signing key rotation when) | You mean the process? | 16:24:38 |
 emily | it is probably a bad idea to have a long-lived token that powerful lying around. it probably makes sense to do it from within GHA or to move to a more self-service model where any committer can invite people to the maintainers team and merging new maintainers blocks on that | 16:25:16 |
| emily | (I believe that the rfc39 bot could most likely arbitrarily make any GitHub user committer right now?) | 16:26:01 |
| hexa (signing key rotation when) | No idea, I never looked at that token | 16:27:30 |
| hexa (signing key rotation when) | But given that no bot account has the maintainer role on the maintainers team, probably | 16:27:54 |
| hexa (signing key rotation when) | hm, it's an app apparently | 16:30:31 |
| 19 Feb 2026 |
 toonn | This comment does claim that the app only needs `Members: Read and Write` permissions, https://github.com/NixOS/rfc39/blob/master/src/main.rs#L42-L46. | 14:08:00 |
| toonn | emily: I think that at least addresses your concern about permissions? | 14:08:29 |
| emily | I'm pretty sure "Members: Write" is the permission that lets you make anyone a Nixpkgs committer. | 14:11:04 |
| toonn | Ah, it's org-level, not team-level permissions? That makes sense, I guess. Wouldn't GHA require the same privilege level though? | 14:14:54 |
| emily | yeah, but all changes to our GHA machinery go through our normal review, and if tokens leak unexpectedly from GHA then GitHub has bigger problems | 14:39:40 |
| hexa (signing key rotation when) | I' | 14:45:05 |
| hexa (signing key rotation when) | * I'm super fine with giving it up | 14:45:09 |
| toonn | Hmm, looks like a GitHub App is the only way to get the required permissions, "However, the GITHUB_TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a GitHub App." | 16:01:06 |
| toonn | https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow | 16:01:10 |
| emily | we have a GitHub App for CI | 16:24:31 |
| emily | which already has write access to Nixpkgs | 16:24:36 |
| emily | the token is in the GHA secrets | 16:24:43 |
| emily | (the private key I mean) | 16:24:58 |
| toonn | The required permission is still "members: write". | 16:41:40 |
| emily | right, of course | 16:53:52 |
| emily | (I mean, not actually because you can just assign a maintainer for the nixpkgs-maintainers team) | 16:54:15 |
| emily | (but our CI already has write permissions to Nixpkgs) | 16:54:23 |
| toonn | Would it need to write to Nixpkgs? To update handles in the maintainer list, I guess? Can you assign a GH Action as a maintainer? Repository permissions aren't enough to do organization changes, no? | 16:58:49 |
| emily | RFC39 bot doesn't write to Nixpkgs, no | 17:07:14 |
| emily | I believe you can assign bot accounts as team maintainers, although I'm not 100% on the nuance with GitHub Apps there. | 17:07:47 |
 Mic92 | BMG in case you want to join: https://meet.cccda.de/nix-osin-fra | 17:18:06 |
| toonn | It doesn't? Does it open a PR instead then to update maintainer handles? | 17:21:48 |
| emily | it doesn't update maintainer handles | 17:23:40 |
| emily | at least not that I've ever seen | 17:23:52 |
