Documenting our Bots #4
Description
Currently, the @openjs-vercel bot has admin access to sensitive infrastructure and repositories (e.g., Vercel deployments). While this level of access is likely necessary for smooth CI/CD operations, it was concerning to observe the bot commit code and approve a pull request, since I, for one, wasn't aware of it's existence1.
To me, this raises the broader question about access visibility: if we don’t all have a clear understanding of which bots (and their underlying OAuth tokens) have access to what, we’re unprepared to assess or contain damage in the event of a security incident.
Let’s add a request-an-access-token.md to this repository, modeled after nodejs/admin#request-an-access-token.md. This document would:
- List all bots and OAuth tokens with access to this repository or related infrastructure.
- Specify the scope of each token (e.g., read-only, write, admin).
- Include brief notes on why each has access and who maintains it.
Examples to include: @openjs-vercel, @nodejs-crowdin, and any other Web-Infra tokens.
CC @nodejs/web-infra
Footnotes
-
Not blaming anyone, this was a simple wrong OAuth token used, which could've happened to anyone. ↩