| 19 Feb 2026 |
 emily | I'm pretty sure "Members: Write" is the permission that lets you make anyone a Nixpkgs committer. | 14:11:04 |
 toonn | Ah, it's org-level, not team-level permissions? That makes sense, I guess. Wouldn't GHA require the same privilege level though? | 14:14:54 |
| emily | yeah, but all changes to our GHA machinery go through our normal review, and if tokens leak unexpectedly from GHA then GitHub has bigger problems | 14:39:40 |
 hexa | I' | 14:45:05 |
| hexa | * I'm super fine with giving it up | 14:45:09 |
| toonn | Hmm, looks like a GitHub App is the only way to get the required permissions, "However, the GITHUB_TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a GitHub App." | 16:01:06 |
| toonn | https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow | 16:01:10 |
| emily | we have a GitHub App for CI | 16:24:31 |
| emily | which already has write access to Nixpkgs | 16:24:36 |
| emily | the token is in the GHA secrets | 16:24:43 |
| emily | (the private key I mean) | 16:24:58 |
| toonn | The required permission is still "members: write". | 16:41:40 |
| emily | right, of course | 16:53:52 |
| emily | (I mean, not actually because you can just assign a maintainer for the nixpkgs-maintainers team) | 16:54:15 |
| emily | (but our CI already has write permissions to Nixpkgs) | 16:54:23 |
| toonn | Would it need to write to Nixpkgs? To update handles in the maintainer list, I guess? Can you assign a GH Action as a maintainer? Repository permissions aren't enough to do organization changes, no? | 16:58:49 |
| emily | RFC39 bot doesn't write to Nixpkgs, no | 17:07:14 |
| emily | I believe you can assign bot accounts as team maintainers, although I'm not 100% on the nuance with GitHub Apps there. | 17:07:47 |
 Mic92 | BMG in case you want to join: https://meet.cccda.de/nix-osin-fra | 17:18:06 |
| toonn | It doesn't? Does it open a PR instead then to update maintainer handles? | 17:21:48 |
| emily | it doesn't update maintainer handles | 17:23:40 |
| emily | at least not that I've ever seen | 17:23:52 |
| emily | (it couldn't do it via direct push anyway since we don't allow those) | 17:24:09 |
| toonn | It claims to though. | 17:24:18 |
| toonn | Or at least RFC 39 says it should : ) | 17:24:28 |
| emily | I don't see that in the text. it just says that handles should be updated in general, not that a bot should do it | 17:26:28 |
| toonn | Looks like it was aspirational "Somewhat half-hearted attempt at checking all the handles and IDs, but it doesn't really work right now." | 17:28:23 |
| toonn | For an action to add members to the organization (since that's a requisite for team membership) or a team it'd need a token from an app with the "members: write" permission. I assume the app would be an empty shell to carry the token with the permission. Then the action can do API requests using the token, parse the maintainers list, get nixpkgs-maintainers membership through the API and | 17:33:20 |
| toonn | invite missing maintainers to the org/team using another API request. | 17:33:27 |
| emily | the app for CI already exists and has write access to Nixpkgs (so there would be no further exposure than we already have) | 17:36:47 |
