Automation in the nodejs
GitHub Organization may require access tokens to
access permission scoped endpoints. In the case of such requirement, the access
token can be requested to be created under the name of @nodejs-github-bot
.
Creating classic tokens for @nodejs-github-bot
is not permitted, only
fine-grained tokens are allowed.
To create a fine-grained access token for @nodejs-github-bot
, follow the
steps as:
- Submit a PR to add the requested repo in the registry below, and describe expected permission scopes.
- A TSC member or a build WG member (who has access to the
@nodejs-github-bot
account) needs to take following action:- Create the fine-grained token at https://github.com/settings/personal-access-tokens/new
in the account
@nodejs-github-bot
, with "Resource owner" to benodejs
, "Only select repositories" to be the requested repository, and requested permission scopes only. - Save the token as a repository secret at
https://github.com/<org>/<repo>/settings/secrets/actions
, do not reveal the token to the anyone in plaintext. - If necessary, grant write access to
@nodejs-github-bot
athttps://github.com/<org>/<repo>/settings/access
. - Land the PR.
- Create the fine-grained token at https://github.com/settings/personal-access-tokens/new
in the account
Fine-grained tokens created with access to https://github.com/nodejs resources will be audited at https://github.com/organizations/nodejs/settings/personal-access-tokens/active.
The "repo" is a string of the GitHub <owner>/<repo>
. Generally, the token should
only be created for repo in the https://github.com/nodejs organization.
The "secret name" is a string that the secret can be referenced in the GitHub Action
scripts. Like a secret name of RELEASE_PLEASE_TOKEN
can be accessed from the script
as ${{ secrets.RELEASE_PLEASE_TOKEN }}
.
The "expiration date" is the date before which the token should be renewed and replaced. This should be no longer than 1 year.
The "pull request" is the PR that initially requested the token, or requested permission scope changes. The PR should describe the permission scopes requested.
Repo | Secret name | Expiration date | Pull Request |
---|---|---|---|
nodejs/import-in-the-middle |
RELEASE_PLEASE_GITHUB_TOKEN |
2025-07-23 | #902 |
nodejs/node-core-utils |
RELEASE_PLEASE_GITHUB_TOKEN |
2025-09-01 | #915 |
nodejs/wasm-builder |
RELEASE_PLEASE_GITHUB_TOKEN |
2025-10-01 | #926 |
nodejs/amaro |
RELEASE_PLEASE_GITHUB_TOKEN |
2025-12-11 | #933 |