!RROtHmAaQIkiJzJZZE:nixos.org

NixOS Infrastructure

408 Members
Next Infra call: 2024-07-11, 18:00 CEST (UTC+2) | Infra operational issues backlog: https://github.com/orgs/NixOS/projects/52 | See #infra-alerts:nixos.org for real time alerts from Prometheus.127 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
18 Feb 2026
@emilazy:matrix.orgemilyI have some thoughts on the RFC 39 things I plan to post soon16:24:13
@hexa:lossy.networkhexa (signing key rotation when)You mean the process?16:24:38
@emilazy:matrix.orgemilyit is probably a bad idea to have a long-lived token that powerful lying around. it probably makes sense to do it from within GHA or to move to a more self-service model where any committer can invite people to the maintainers team and merging new maintainers blocks on that16:25:16
@emilazy:matrix.orgemily(I believe that the rfc39 bot could most likely arbitrarily make any GitHub user committer right now?)16:26:01
@hexa:lossy.networkhexa (signing key rotation when)No idea, I never looked at that token16:27:30
@hexa:lossy.networkhexa (signing key rotation when)But given that no bot account has the maintainer role on the maintainers team, probably16:27:54
@hexa:lossy.networkhexa (signing key rotation when)hm, it's an app apparently16:30:31
19 Feb 2026
@toonn:matrix.orgtoonn This comment does claim that the app only needs `Members: Read and Write` permissions, https://github.com/NixOS/rfc39/blob/master/src/main.rs#L42-L46. 14:08:00
@toonn:matrix.orgtoonn emily: I think that at least addresses your concern about permissions? 14:08:29
@emilazy:matrix.orgemilyI'm pretty sure "Members: Write" is the permission that lets you make anyone a Nixpkgs committer.14:11:04
@toonn:matrix.orgtoonn Ah, it's org-level, not team-level permissions? That makes sense, I guess. Wouldn't GHA require the same privilege level though? 14:14:54
@emilazy:matrix.orgemilyyeah, but all changes to our GHA machinery go through our normal review, and if tokens leak unexpectedly from GHA then GitHub has bigger problems 14:39:40
@hexa:lossy.networkhexa (signing key rotation when)I'14:45:05
@hexa:lossy.networkhexa (signing key rotation when)* I'm super fine with giving it up14:45:09
@toonn:matrix.orgtoonn Hmm, looks like a GitHub App is the only way to get the required permissions, "However, the GITHUB_TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a GitHub App." 16:01:06
@toonn:matrix.orgtoonn https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow 16:01:10

Show newer messages

Back to Room ListRoom Version: 6