Create GH User for CI/CD

[dsilvam]

Parent Issue

No response

Task

There's a need for a new GH User to be used to run the different GH actions on the CICD pipeline. It will need a PAT with limited scope, including pushing to master. This one the CICD_GITHUB_TOKEN can go away.

Proposed Objective

Core Features

Proposed Priority

Priority 2 - Important

Acceptance Criteria

• New GH User for CICD created
• User has a PAT with the proper limited scope, including pushing to master.
• CICD_GITHUB_TOKEN is removed

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

### Tasks
- [ ] Create new secrets in core repo
- [x] Create new github user to be our machine user
- [x] Store credentials for new machine user in password DB
- [ ] Update references in github actions
- [ ] Cleanup: Delete old secrets in core repo

[sfreudenthaler]

Ok folks, here's the plan. I spoke with Cloud Eng and they're good with the general approach.

• [x] I've opened up an access request ticket in zendesk so that I can get access to Keeper. It's a password database that allows for secure sharing.
• [x] I created a new google group that will act as the email address for the machine user. I used a google group because it survives past any single employee and allows for us to scale past a single person to get notification
• [x] Create a new github user tied to the google group email address dotcms-github-machine-user@dotcms.com and store the credentials in Keeper
• [x] Setup MFA for github bot account
• [x] Add the new machine user to our dotCMS github org
• [x] Give dotCMS Machine User Write access to the core repo
• [x] Mint a new PAT from the new machine user account
• [x] Create new repo secrets to use new PATs

[erickgonzalez]

Keep in mind that when we remove all existing PAT it will affect LTS as well

[sfreudenthaler]

Keep in mind that when we remove all existing PAT it will affect LTS as well

Oh good point @erickgonzalez . So the existing ones would work till we nuked victors old PATs. But I should add that to the scope of this ticket.

As for making sure things keep working... What's the playbook to update the LTS pipelines? Are they just more places in the yaml on master? Or do I have to go into a specific branch and put up a PR there?

[sfreudenthaler]

• [x] Add the new machine user to our dotCMS github org

Note on this one that I just added to the org. I did not add to any existing group because none stood out as an obvious fit

[sfreudenthaler]

We created new secrets in core repo

• CI_MACHINE_USER
• CI_MACHINE_TOKEN

[sfreudenthaler]

All set... A few notes here

FYI @cobbg and @mbiuki

1. Key rotation should be easy (just update the CI_MACHINE_TOKEN value and voilà, but it's not automated so rotation will be manual at this point in time
2. The credentials, MFA, and PAT for the github account are stored in Keeper under the GitHub Machine User folder. All of the cloud engineering team has access to it. You can ask them for help if you need to get into the account for whatever reason.
3. Scope of the PAT was limited to repo:status, repo_deployment, and public_repo
4. We granted the machine user Writer role to the core repo.

[erickgonzalez]

Keep in mind that when we remove all existing PAT it will affect LTS as well

Oh good point @erickgonzalez . So the existing ones would work till we nuked victors old PATs. But I should add that to the scope of this ticket.

As for making sure things keep working... What's the playbook to update the LTS pipelines? Are they just more places in the yaml on master? Or do I have to go into a specific branch and put up a PR there?

I think @victoralfaro-dotcms is the one can answer this better

[sfreudenthaler]

Also added secrets to plugin-seeds repo by slack request from @victoralfaro-dotcms and @dsilvam

• CI_MACHINE_USER
• CI_MACHINE_TOKEN

NOTE

Used the same values for user and token as I did with core since it's for the same use

[sfreudenthaler]

Request by @victoralfaro-dotcms to alos add the secret to the enterprise repo

[sfreudenthaler]

Request by @victoralfaro-dotcms to alos add the secret to the enterprise repo

✅ Done

[sfreudenthaler]

added workflow permission to the existing token by @victoralfaro-dotcms's request