Access for LF IT to Jenkins instances #3444
Comments
That sounds reasonable.
May need to be extended read to allow viewing of configuration. |
|
I'll note that also adding a new team should also need to update the security matrices in https://github.com/nodejs/build/blob/main/doc/jenkins-guide.md#security-releases for locking/unlocking the CI for security releases. |
|
@bensternthal which GitHub ids should we provide access to? |
|
@mhdawson hostmaster+openjs@linuxfoundation.org. CC: @vvalderrv for visibility |
|
The GitHub ID is actually thelinuxfoundation |
|
PR to update regular authorization matrix - #3509 I've added the group and thelinuxfoundation to the group LinuxIT-infra-temp, and added to auth matrix with anything that looked like |
|
I forget, did we discuss giving this access to both Jenkins or is this just the test CI? |
|
I think lets start with the public jenkins as that much bigger. I don't think there is too much more that LinuxIT will discover by having read access to the release ci. They can probably just assume it is similar to the test ci but 1/10 the size. If you think otherwise then we could look at access to the release ci as well. |
|
Probably doesn't matter as a read-only thing, but shouldn't any future write access be granted to actual users, rather than a shared |
|
@nschonni using a team is consistent with what we do for other access so I don't think discussion of that suggestion would be specific to linux foundation access. Access is provided through the group, but individual users are still logged in/authenticated, they just have access because they are part of the GitHub group. I assume that any logging etc is based on the specific user. If you concern was that thelinuxfoundation sounds like a shared account I think that is something we can consider once we figure out the model of how the Foundation will help with the infra. |
|
Probably misunderstanding it, but https://github.com/thelinuxfoundation seems to be a mixed bot+shared credential admin account. Team with actual people sounds like the right approach though |
|
Hi there, that github account is the LF's primary account that is used to house ownership of all the subprojects, but its not something we typically use to authenticate (only superadmins have TFA codes etc). I agree LF admin team would be a good strategy to manage this going forward, can we create that, and start with @vvalderrv and @ryanaslett as the initial members, and grant it read only access to your public jenkins as you have before? (And you can remove the thelinuxfoundation account access too ) |
|
Ok I removed the original Id, and have sent invites to the two initial members listed. |
|
@ryanaslett @vvalderrv can we close this issue? |
|
@UlisesGascon Yes, thank you |
Related #3443
Not sure how to materialize this access in Jenkins. Should we create a Github Team for the LF IT and grant them read access? I think that
Overall:readwill cover all the needs in terms of System, plugins, pipelines, nodes...The text was updated successfully, but these errors were encountered: