| 18 Feb 2026 |
 Julien | hexa (signing key rotation when): I am interpreting your answer as: no short term blockage to take ownership of the deployment. I agree that take ownership of the maintenance of the software is something else. | 10:01:22 |
| Julien | Great thanks! | 10:03:17 |
 hexa (signing key rotation when) | We need someone to update the RFC39 tooling. GitHub has deprecated the API we use to manage team members and the GitHub bindings (hubcaps) are unmaintained since 2020. | 16:22:33 |
| hexa (signing key rotation when) | https://github.com/NixOS/rfc39 | 16:22:41 |
| hexa (signing key rotation when) | also all of the dependencies are stuck in like 2018 | 16:23:58 |
 emily | I have some thoughts on the RFC 39 things I plan to post soon | 16:24:13 |
| hexa (signing key rotation when) | You mean the process? | 16:24:38 |
| emily | it is probably a bad idea to have a long-lived token that powerful lying around. it probably makes sense to do it from within GHA or to move to a more self-service model where any committer can invite people to the maintainers team and merging new maintainers blocks on that | 16:25:16 |
| emily | (I believe that the rfc39 bot could most likely arbitrarily make any GitHub user committer right now?) | 16:26:01 |
| hexa (signing key rotation when) | No idea, I never looked at that token | 16:27:30 |
| hexa (signing key rotation when) | But given that no bot account has the maintainer role on the maintainers team, probably | 16:27:54 |
| hexa (signing key rotation when) | hm, it's an app apparently | 16:30:31 |
| 19 Feb 2026 |
 toonn | This comment does claim that the app only needs `Members: Read and Write` permissions, https://github.com/NixOS/rfc39/blob/master/src/main.rs#L42-L46. | 14:08:00 |
| toonn | emily: I think that at least addresses your concern about permissions? | 14:08:29 |
| emily | I'm pretty sure "Members: Write" is the permission that lets you make anyone a Nixpkgs committer. | 14:11:04 |
| toonn | Ah, it's org-level, not team-level permissions? That makes sense, I guess. Wouldn't GHA require the same privilege level though? | 14:14:54 |
| emily | yeah, but all changes to our GHA machinery go through our normal review, and if tokens leak unexpectedly from GHA then GitHub has bigger problems | 14:39:40 |
| hexa (signing key rotation when) | I' | 14:45:05 |
| hexa (signing key rotation when) | * I'm super fine with giving it up | 14:45:09 |
| toonn | Hmm, looks like a GitHub App is the only way to get the required permissions, "However, the GITHUB_TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a GitHub App." | 16:01:06 |
| toonn | https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow | 16:01:10 |
| emily | we have a GitHub App for CI | 16:24:31 |
| emily | which already has write access to Nixpkgs | 16:24:36 |
| emily | the token is in the GHA secrets | 16:24:43 |
| emily | (the private key I mean) | 16:24:58 |
| toonn | The required permission is still "members: write". | 16:41:40 |
| emily | right, of course | 16:53:52 |
| emily | (I mean, not actually because you can just assign a maintainer for the nixpkgs-maintainers team) | 16:54:15 |
| emily | (but our CI already has write permissions to Nixpkgs) | 16:54:23 |
| toonn | Would it need to write to Nixpkgs? To update handles in the maintainer list, I guess? Can you assign a GH Action as a maintainer? Repository permissions aren't enough to do organization changes, no? | 16:58:49 |
