blocklist import/export

[bnb]

per the recent discussion around the moderation team and importing/exporting the blocklist across our three orgs (nodejs, pkgjs, and nodejs-private), I went ahead and built out a GitHub Action that allows us to import blocklists from one organization to another organization. In practice, this means that if someone is blocked in the nodejs org, that block can be imported to the other organizations automatically (presumably on a cron or manual run of the Action, rather than being directly triggered by the block event).

You can find the code in cutenode/action-import-blocklist. Implementing it requires a PAT from an account (presumably, in our case, the Node.js bot account) that has the full admin:org permissions, which is required by the GitHub API.

@nodejs/tsc @nodejs/actions want to get feedback on this. My proposal:

• implement syncing to pkgjs and nodejs-private by setting up .github repositories in both and adding workflows. I'm happy to help with this, but it's pretty trivial.
• alternatively, implement syncing by setting up a .github repo in the nodejs org, allowing us to have control within the project of where our blocklist is being exported to and not providing admin:org tokens to those orgs (pkgjs is notably more permissive).

questions I have:

• currently, the Action uses console.log() to output what's happening. This does include usernames. Is this okay, or would we want to omit those?
• I'd prefer to move the action to a project-owned organization. Does this belong under nodejs or under pkgjs?

[Trott]

@nodejs/tsc PTAL. Also, this would be good to at least mention, if not discuss, at the TSC meeting on Thursday.

[ljharb]

I think pkgjs is probably a better place for it.

[bnb]

@Trott has there been any decision from the TSC on implementing this?

[mhdawson]

@bnb my recollection is that there were no concerns raised and understanding was that it could move forward.

[bnb]

I've moved the repo to pkgjs/action-import-blocklist and have opened nodejs/.github#1 which adds the Action to our organization. I specifically put it in our organization because I'd like to keep control of our data and PATs within the org we more aggressively maintain.

I will need to add a token to the nodejs/.github repo from an account that has admin:org permissions in both organizations. My assumption is that @nodejs-github-bot is the correct account for this. I've created #672 to request this.