feat(token): request nodejs.org GH_USER_TOKEN

[avivkeller]

Requesting a @nodejs-github-bot token with contents:write permissions to https://github.com/nodejs/nodejs.org for nodejs/nodejs.org#8231.

cc @nodejs/web-infra @nodejs/releasers

[avivkeller]

Bump @nodejs/tsc

[mcollina]

Why is it neeeded to add a token? Is https://github.com/nodejs/nodejs.org/pull/8231/files#diff-4446f61f8e35de22ab75a2a4f121ca046c28d1e56d5cf46254d8093c230b4ef4R22 not enough?

[avivkeller]

We need to run the CI/CD on the created PRs. Using a GitHub workflow token won't run those checks, so we need a bot token

[aduh95]

We need to run the CI/CD on the created PRs. Using a GitHub workflow token won't run those checks, so we need a bot token

Don't we need to add the label manually anyway?

[avivkeller]

No, the actions that are required (linting, tests, builds) run on all PRs, regardless of the label. Some additional checks (which are optional) run on the label, since they need access to secrets, permissions, etc

[mcollina]

Security-wise, this is relatively problematic as it has been defined.

I've added some comments to mitigate those concerns (leaking said token) via the use of GitHub environments. I would recommend permitting that environment only to members of @nodejs/releasers, @nodejs/build, and @nodejs/web-infra.

[aduh95]

No, the actions that are required (linting, tests, builds) run on all PRs, regardless of the label. Some additional checks (which are optional) run on the label, since they need access to secrets, permissions, etc

FWIW for the "Create release proposal" automation, we workaround this by creating the PR as draft, and workflow are triggered only when the releaser marks the PR as ready for reviews. Maybe that's an approach that would make sense here as well

[avivkeller]

Hmm, that may work! Thanks! I'll look into it

[avivkeller]

Per the suggestion, and discussions in Slack

[avivkeller]

The plan is to either:

1. Mark all checks as optional, use GITHUB_TOKEN
2. Open PR as draft