| 18 Feb 2026 |
 hexa (signing key rotation when) | You mean the process? | 16:24:38 |
 emily | it is probably a bad idea to have a long-lived token that powerful lying around. it probably makes sense to do it from within GHA or to move to a more self-service model where any committer can invite people to the maintainers team and merging new maintainers blocks on that | 16:25:16 |
| emily | (I believe that the rfc39 bot could most likely arbitrarily make any GitHub user committer right now?) | 16:26:01 |
| hexa (signing key rotation when) | No idea, I never looked at that token | 16:27:30 |
| hexa (signing key rotation when) | But given that no bot account has the maintainer role on the maintainers team, probably | 16:27:54 |
| hexa (signing key rotation when) | hm, it's an app apparently | 16:30:31 |
| 19 Feb 2026 |
 toonn | This comment does claim that the app only needs `Members: Read and Write` permissions, https://github.com/NixOS/rfc39/blob/master/src/main.rs#L42-L46. | 14:08:00 |
