Investigate alternative jenkins access for backups

[ryanaslett]

The backup server relies on an individual contributors token to access jenkins, which is brittle if that contributor becomes emeritus.

Lets investigate a service account token for that purpose.

[richardlau]

So to kickstart the discussion:

• Jenkins access is gated on GitHub teams.
• The Build WG owns three GitHub accounts (access details in the secrets repo):
  • https://github.com/nodejs-ci (build/infra/ci-iojs-org.md)
  • https://github.com/node-forward-build (build/infra/node-forward-build_github_account.md)
  • https://github.com/nodejs-github-bot (build/github-bot/github_bot_account.md)

These were set up before I joined the WG so I'm a little fuzzy as to the distinction between the three accounts. What I do know:

• The most widely used is nodejs-github-bot. I believe it was originally created for https://github.com/nodejs/github-bot (which is used to post links to Jenkins runs as comments in pull requests (including updating status checks)). More recently it has been co-opted for use in GitHub workflows (e.g. https://github.com/nodejs/admin/blob/main/request-an-access-token.md). This bot account is in the collaborators team and loses access to Jenkins when we lock the CI down for security releases.
• nodejs-ci has access to the private nodejs org (via the tools team). Jenkins has "credentials" configured for this user. I believe it is the user used in Jenkins to checkout code from GitHub for building (it's hard to trace back exactly because Jenkins hides the details of the credentials once entered). I don't think it is in any teams in the public org, but possibly doesn't need to be for checking out code from the public repository (AFAIK nothing we have in Jenkins pushes to GitHub).
• node-forward-build is a member of jenkins-admins and jenkins-release-admins. It is used by automation to start iojs+release nightly builds (basically the user configured on the www server to run https://github.com/nodejs/nodejs-nightly-builder):
  • nightly-builder

    build/ansible/www-standalone/resources/config/nightly-builder.json.j2

    Lines 5 to 6 in ba10835

    	"githubAuthUser": "{{ github_auth_user }}",
    	"githubAuthToken": "{{ github_auth_token }}",

  • nightly-builder-v8-canary-builder

    build/ansible/www-standalone/resources/config/nightly-builder-v8-canary.json.j2

    Lines 5 to 6 in ba10835

    	"githubAuthUser": "{{ github_auth_user }}",
    	"githubAuthToken": "{{ github_auth_token }}",

(FYI @nodejs/security-wg who are currently threat modelling access across the project)

The backup server relies on an individual contributors token to access jenkins, which is brittle if that contributor becomes emeritus.

This is

build/backup/backup_scripts/remove_old.sh

Lines 25 to 26 in ba10835

	JENKINS_CRUMB=$(curl -sL --user "$CREDENTIALS" https://$HOST/'crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
	curl -X POST -q --user "$CREDENTIALS" -H "$JENKINS_CRUMB" https://$HOST/reload

-- AIUI this is making a REST API call to Jenkins to ask it to reload. Of our existing accounts, it probably makes sense to be using the node-forward-build account for this since it's the GitHub admin team for both Jenkins instances?