Create new github-bot personal token for nodejs/tweet automation

[bnb]

This week, @joesepi and I spent some time on automating the nodejs/tweet repo so we can consistently and easily get out any tweets that should be going out regularly. We started with two, and in the process came across a tiny hitch: for one action to trigger another, we need to use a PAT instead of the Actions-provided token since one action can't trigger off of another if there's a GitHub provided token being used in the other.

Per @gr2m's advice (he is the maintainer of both Actions we're consuming), we need a PAT from the bot with the following permission:

• repo_public

References:

• https://github.com/nodejs/tweet/pull/10#pullrequestreview-599902564
• https://github.com/nodejs/tweet/pull/13#issuecomment-786905745

[bnb]

cc @nodejs/tsc @nodejs/community-committee (need two approvals from each committee)

[gr2m]

if you use a single bot account on the @nodejs, and you want to create a token than only has access to the one repository, then you could do that by creating an OAuth token through a GitHub App that you'd register on the @nodejs org. Let me know if that is something you'd like to try and I can help you set it up.

FYI: OAuth tokens from GitHub Apps inherit the permission of the installation. More granular access can be granted with permissions than what is possible with OAuth scopes. And you can give the tokens a subset of of the permissions and repository access that the installation has. (At least I think you can, I'd have to double check if that's currently possible for OAuth tokens. It certainly is for installation acccess tokens, but installation access tokens expire after one hour, while OAuth tokens can be configured not to expire)

Alternative I: You register a new GitHub app on @nodejs and install the app only on the nodejs/tweets repository. Then you use the app's credentials to generate an installation access token for the current repository, and use that token to create the pull request. When I think about it, this alternative might be simpler than my suggestion above, I should give this a try myself :D

Alternative II: you could create a dedicated bot account only for this purpose and invite the account only to the nodejs/tweet repository 🤷🏼

@bnb As a workaround for the time being you can push an empty commit in order to trigger CI on pull requests created by a GitHub Action using the provided secrets.GITHUB_TOKEN

[joesepi]

I approve and thanks for all your help and guidance @gr2m 🙌

[targos]

+1

[joyeecheung]

+1

[mhdawson]

+1

[bnb]

Any way we can get this? @mhdawson?

[mhdawson]

@bnb can you list the steps that I need to go through to get what you want?

[bnb]

@mhdawson from the Node.js GitHub bot account: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token

[bnb]

(that should then be added as a secret to the nodejs/tweet repo)

[mhdawson]

I think I've added it as NODEJS_TWEET

[bnb]

@mhdawson so that worked, which is good news! Unfortunately, I need it from the Node.js bot account rather than from your account.

[mhdawson]

Ok deleted that token.

Too much going on at the same time, I just don't have enough mind space/brain cycles to read/understand the right thing to do here. Can you schedule a time next week for us to do it together?