access.md

Access to Node.js Infrastructure

This document describes which groups have access to which Infra assets.

Note that links to @nodejs/ teams are not visible to people who aren't in the Nodejs organization, and the secrets repo is only visible to people who have read access to the nodejs-private organization.

For technical howtos on getting SSH access to the machines, see the SSH guide.

Joining the Build Working Group

Anyone interested in helping out with the Build WG can reach out to existing members to let us know, for example via a GitHub Issue on this repo or through IRC.

Membership of the Build WG involves granting infrastructure access, so full membership of the WG can be a gradual process. However we welcome anyone willing to contribute, and we're always working to make contributions easier.

Once you're an established contributor, an existing Build WG member will invite you to join the WG. A PR adding your name can be raised by either you or them (e.g. #524) and once that gains consensus and is landed you will be onboarded (see the onboarding doc for more details).

Machine Access

For a list of machines, see the inventory.yml. Secrets are stored in the secrets repo, which @nodejs/build (and org owners) have access to. Secrets are individually encrypted, so access to the repo does not itself give access to any of the secrets within. For more info see the repo's README.

Test machines

@nodejs/build have root access to the test CI machines (test-*). The list of members is here.

Infra machines

A subsection of build members have access to infra machines (infra-*). The list of members is here.

The infra group also have access to:

Servers:

• DigitalOcean Droplets (individual accounts)
• Joyent
• MacStadium
• Packet.net (individual accounts)
• Rackspace (individual accounts)
• Scaleway
• SoftLayer (individual accounts)
• linuxOne

Certificates

• Apple
• Digicert for Authenticode
• GoGetSSL for SSL

Other

• Cloudflare
• Mailgun email (uses Rackspace login)

Release machines

A subsection of build members have access to release machines (release-*). The list of members is here.

Infra Access

There are a number of other infra assets maintained by the Build WG, accesses are as follows.

Note that the machines that our Jenkins instances run on are infra machines, and thus any task that requires access to the machine requires infra access.

ci.nodejs.org

• @nodejs/collaborators have access to run Node core tests.

• Run and configure access for other jobs is controlled by the teams who own them (for example, the post-mortem jobs are run by @nodejs/post-mortem, and configured by @nodejs/post-mortem-admins. For more info see the Jenkins access doc.

• @nodejs/build have machine access (the ability to add, remove, and configure machines).

• @nodejs/jenkins-admins have admin access.

ci-release.nodejs.org

• @nodejs/release have access to run builds.

• @nodejs/jenkins-release-admins have admin access.

GitHub Bot

Those with github-bot access have access to the GitHub Bot's configuration, including GitHub and Jenkins secrets. The list of members is here.

NPM Management

We have a number of modules under the Node.js Foundation including:

• citgm
• llnode
• node-gyp
• node-inspect
• node-report

Modules are managed as follows:

• The nodejs-foundation npm user, which is managed by the Build WG, is an administrator on all Foundation npm packages. It is the means to add or remove other module collaborators, and shouldn't be used to publish releases.
• Package mantainers are added as npm "collaborators" to the package, and publish releases.

The credentials required for the nodejs-foundation user are maintained in encrypted form in the secrets repo.