Integrate with Crowdin using a special GitHub user

[zeke]

Source: nodejs/i18n#57

When configuring Crowdin to integrate with GitHub, we should use a GitHub user account that:

• is not tied to any individual
• has admin access to this repo. (write is not adequate)
• has no other special privileges in the @nodejs GItHub organization.

This way if Crowdin were compromised and our i18n user's token was obtained by a bad actor, the affected surface area would be minimal, i.e. just this repo would be vulnerable.

cc @williamkapke @bnb @obensource

[rvagg]

Yeah, so who needs access to this user? I can set one up with shared 2fa and give access to the details in nodejs/secrets to the people that need the credentials--they'll also need PGP to access the details in the secrets repo. Or, if it's straightforward, I could probably use it to sign up for you if you give me instructions on what needs to be done.

[rvagg]

Also, having scanned the original issue, I don't think this requires special permission from the TSC and/or ComCom does it? This is just the i18n group doing its own thing. As long as this user has access that's limited to that repo and passes our 2fa requirement then it should be fine.

[zeke]

Great! It would be handy if I had access so I could help configure our Crowdin integration. Very few folks will need access. We can dole out 'manager' access on Crowdin as needed.

[rvagg]

@zeke k, gimme your public PGP key and I'll set you up. You'll be able to add new people to the directory I make in nodejs/secrets for this.

[obensource]

@zeke @rvagg I think only i18n maintainers should need access for this. Currently – @zeke @RichardLitt @bnb and myself (@obensource). Thanks y'all!

[rvagg]

ok, someone give me a pgp/gpg key and I'll set you up and you can add the rest yourselves

@nodejs-crowdin is created, it has an email for the github account nodejs/email#91

https://github.com/nodejs-private/secrets/pull/17 (you each have invites to the repo) creates an i18n directory in the secrets repo. It uses dotgpg so only the people with their pgp key in that directory can read/edit files. You're welcome to use it for any other shared secrets that your group has too, it's your space (build has their own, the github-bot folks have their own). Once I put one of your pgp keys in there you can then add each other without needing me, you could even remove me if you like.

[obensource]

@rvagg sent (to your public email)! Thanks for setting this all up! 🍻

[rvagg]

OK cool, I've added that and merged the PR. Now you need to install dotgpg so you can read that file and add the others' keys to the directory. Manage that directory as if its your own repo, just as long as everything's encrypted.

You'll also need to be able to use the raw 2fa seed that's in i18n/nodejs-i18n-github.md. I've put in an example alias that you could put in your .profile that uses speakeasy to generate tokens from it (npm i -g speakeasy). You should also be able to add it to Authy or some other app that can generate tokens for you if you prefer.

I added the user as an Admin to nodejs/i18n btw, so you just need to add it to crowdin and you should be good to go I suppose.

[obensource]

@rvagg awesome! Thanks for the examples/directions, and setting us up. Really appreciate it! 🙌

[obensource]

@zeke if I can get your key, I'll add you tonight while I prep for tomorrow's WG meeting. 🎉

[zeke]

@rvagg I'm https://keybase.io/zeke -- is that sufficient?

[rvagg]

yep, keybase is fine, I might leave it to @obensource to add that one for practice—grab the public key block from https://keybase.io/zeke from the key link (00CC DF11 30D9 98B6) and paste that in to dotgpg add when you're inside secrets/i18n, then you'll need to git add the key that ends up in the .gpg directory, commit that and the changed .md file and push that to the repo.

[obensource]

Thanks @rvagg!