CI lock-down for 27th security release

[rvagg]

CI is going to be locked down while we prepare for next week's security release. My current plan is to remove collaborator and public access tomorrow evening, the 23rd, USA time. It'll be opened back up again as soon as the security releases are out. Travis will not be impacted, and I'm not yet sure what the impact will be on the bot requesting lite tests for Collaborator PRs but I think that should be disabled too.

@nodejs/collaborators @nodejs/build

[refack]

The bot uses a collaborator level access token so by default it will get disabled.
If we could have a segregated section of the GUI that only displays the lite jobs, we might be able to consider leaving just that open.
But I have no idea if we can do that, and/or how.
So for this week I think we should keep the bot disabled.

[mcollina]

May I retain access? I think I can be of help for this specific release m, as I worked on several of the fixes.

[mhdawson]

@mcollina that sounds reasonable, @rvagg can probably add you to the matrix to allow that.

[rvagg]

I'm still pulling together releases and am good with local testing for now so I think I'll defer this until tomorrow. Depending on how my day goes, it may be up to 24 hours from now. So feel free to keep using CI for your excellent work collaborators!

[refack]

Heads up nodejs/code-and-learn#92

[rvagg]

before:

after:

(added the nodejs/security group, I think I'll leave that after this for convenience)

[refack]

I added discover to nodejs/releasers and nodejs/security to try to resolve a issue reported by @mcollina

P.S. security team might be too abstracts. Had to add @mcollina explicitly.

[sam-github]

@refack I believe two groups have access to the private security repos/issues: the security team, and the TSC -- and @mcollina has auth via the latter. I'm not sure how the TSC organizes themselves, maybe they don't all want to get notifications for @nodejs/security, and those who do should be explicitly added to nodejs/security?

[mcollina]

@sam-github I'm also part of the security team.

[sam-github]

Hm, I wonder what @refack meant by this?

P.S. security team might be too abstracts. Had to add @mcollina explicitly.

[refack]

believe two groups have access to the private security repos/issues: the security team, and the TSC

AFAICT the GitHub nodejs/security team is composed of 4 sub-teams
https://github.com/orgs/nodejs/teams/security:

Teams 4
security-external
Meta-team for external members of the security team

6 members • 0 teams
security-release
Meta-team for releasers who are all in the security team

10 members • 0 teams
security-triage
Meta-team for members of the security triage team

7 members • 0 teams
security-tsc
Meta-team for TSC members who are all in the security team

17 members • 0 teams

But apparently the Jenkins GitHub-auth plugin doesn't understand that properly ¯\(ツ)/¯

P.S. I'm online most of today, if anyone else needs access.

[refack]

Hm, I wonder what @refack meant by this?

P.S. security team might be too abstracts. Had to add @mcollina explicitly.

I meant two things:

1. It's not working for Jenkins.
2. It seems too broad for me to add all 4 sub-teams, without further consultation.

[rvagg]

CI lockdown should be lifted now