-
Notifications
You must be signed in to change notification settings - Fork 146
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: document the current state of npm access (#581)
- Loading branch information
1 parent
56aa048
commit deea2f2
Showing
1 changed file
with
22 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,31 +1,42 @@ | ||
| # NPM | ||
|
|
||
| > ⚠️ This document currently described an ideal reality, not what is currently configured. It will either be updated or implemented at some point in the future ⚠️ | ||
| ## Access to the "electron" Organization on NPM | ||
|
|
||
| All [maintainers](../../../charter/README.md#definitions) are entitled to be a "member" of the electron organization on NPM. Permissions on on the `npm` org are managed by the Security Working Group. Head over to the `#wg-security` channel on Slack to ask to be added. By default, new maintainers will be added to the `developers` team. At a minimum a maintainer's `npm` account must have `auth-and-write` 2FA configured. | ||
| Only two accounts are permitted access to the `@electron` org on NPM. Specifically `electron-cfa` and `electronhq`. | ||
|
|
||
| ### NPM Teams | ||
|
|
||
| There are three teams on NPM, `developers`, `cfa`, `electron`. | ||
| There are two teams on NPM, `developers`, and`cfa`. | ||
|
|
||
| * `developers` will have `read` access to all packages with the exception of the "electron" package. | ||
| * `cfa` will have `read/write` on all packages with the exception of the "electron" package. | ||
| * `electron` will have `read/write` on **only** the "electron" package. | ||
|
|
||
| The only user in the `electron` team will be the "electron-bot" user. As such the only user with permission to publish the `electron` package should always be "electron-bot". Publishing of this package will be triggered through `sudowoodo`. | ||
|
|
||
| The only user in the `cfa` team will be the "electron-cfa" user. As such the only user with permission to publish packages in the `electron` organization should be "electron-cfa". As no humans have publish rights to any of these packages they should all be configured with `semantic-release` and the `@electron/semantic-release-npm-cfa` plugin. For information on how to configure this plugin for use with a new package head over to [`continuousauth/web`](https://github.com/continuousauth/web). | ||
|
|
||
| ## Access to the "electron" package on NPM | ||
|
|
||
| The core `electron` package is the one exception to other NPM package rules, namely it is the only old package that we won't ever move into the `@electron` scope and it's the only package that won't be governed by CFA. Instead this package is limited to a third user `electron-nightly` whose only permission is to publish this package. Publishing of this package will be triggered through `sudowoodo`. | ||
|
|
||
| At no point should any human have access to the `electron` NPM package. | ||
|
|
||
| ## Human access to individual packages | ||
|
|
||
| No human should ever have publish rights on their personal `npm` account to any Electron NPM package. | ||
|
|
||
| ## `electron-bot` credentials | ||
| ## New Packages | ||
|
|
||
| All new packages should be created by the Infra Working Group in the `@electron` scope per the access restrictions outlined above. | ||
|
|
||
| ## Credentials | ||
|
|
||
| ### `electronhq` credentials | ||
|
|
||
| Credentials for the "electronhq" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. No other working group or user will be granted access to this account. | ||
|
|
||
| ### `electron-cfa` credentials | ||
|
|
||
| Credentials for the "electron-bot" user will be stored on the 1-Password, access to these credentials will be controlled by the Releases Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Releases Working Group needs the 2FA secret to approve releases. | ||
| Credentials for the "electron-cfa" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Ecosystem Working Group needs the 2FA secret to approve releases. | ||
|
|
||
| ## `electron-cfa` credentials | ||
| ### `electron-nightly` credentials | ||
|
|
||
| Credentials for the "electron-cfa" user will be stored on the 1-Password, access to these credentials will be controlled by the Ecosystem Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Ecosystem Working Group needs the 2FA secret to approve releases. | ||
| Credentials for the "electron-nightly" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Releases Working Group needs the 2FA secret to approve releases. |