-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secrets.yaml: add nix-infra-bot #563
Conversation
That seems pretty dangerous. Making the bot an org owner weakens the security of the setup. For less frequent activities such as changing the list of admins, we can have the bot check, but should probably apply things manually. |
How is #398 supposed to work? |
One approach could be to map all of the resources with Terraform still. For public resources, the secrets.GITHUB_TOKEN should be able to query them. In that scenario the CI can do the plan, and would fail on apply. When the failure happens, it's up to the admin to step in and apply the changes manually. It makes things slightly less convenient, but it less convenient, but it would also add an extra layer of security. |
I'd rather manage the org manually and just dump the org api daily as a log. |
I wonder if we can forward the security audit to Matrix |
iirc streaming the audit log is a paid feature. We could try to replicate it by dumping the api hourly, pushing it to a repo and posting the diff? |
Github's audit log could be used as well: https://github.com/organizations/nix-community/settings/audit-log?q=action%3Aorg.invite_member |
That's what I was referring to. We can look at it and export it manually but I think api access to it is a paid feature. |
Might be overkill for now I think to extract it automatically. If something wrong happens we could still visit the page. |
After this is merged I'll make
nix-infra-bot
an org owner and generate an token with org permissions to use with terraform in #544.I'll do the same again in another PR for gitlab.