WVUI will ideally publish a new prerelease version of itself on npm on every new merge into master. To get this to work securely and not depend on any Wikimedia employee, we should use a (non-human) npm account to do the publishes in PipelineLib.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | • nnikkhoui | T264244 Publish WVUI to NPM through CI | |||
| Declined | • nnikkhoui | T267084 Allow WVUI to authenticate against Gerrit | |||
| Declined | • nnikkhoui | T267280 Create service account for npm |
Event Timeline
Comment Actions
Tagging Release Engineering Team, wondering if there's a best way to do this, if such an account already exists, or if i can just make one : )
Comment Actions
There is not currently an account that exists to do this. In the past what I've done is to create bots that operate on Gerrit is to create an account via wikitech and then put a notification on the bot user's talk page; e.g., https://wikitech.wikimedia.org/wiki/User:PipelineBot
Once the bot is created we can add the permissions needed in Gerrit:
- Add bot to non-interactive user's group: https://gerrit.wikimedia.org/r/admin/groups/d39fe9cefd40ca1a07e372c0d7bd7e72ce2e4a2f,members (this changes the threadpool this user will use since latency for bot users is less of a concern than for humans)
- We'll need to know exactly what this bot should be able to do (i.e., push refs and tags vs make new branch) and on what repositories, then an admin can add those perms to those repos
Comment Actions
@thcipriani Thanks for the input! Would I need another bot in this case though? This ticket was just for tracking an npm account that would need to be part of the wikimedia npm org. Whichever bots start up the pipeline jobs should still work, unless you recommend making a separate npm-publish bot so it is clear that is publishing to npm?