|
1 | 1 | # NPM |
2 | 2 |
|
3 | | -> ⚠️ This document currently described an ideal reality, not what is currently configured. It will either be updated or implemented at some point in the future ⚠️ |
4 | | -
|
5 | 3 | ## Access to the "electron" Organization on NPM |
6 | 4 |
|
7 | | -All [maintainers](../../../charter/README.md#definitions) are entitled to be a "member" of the electron organization on NPM. Permissions on on the `npm` org are managed by the Security Working Group. Head over to the `#wg-security` channel on Slack to ask to be added. By default, new maintainers will be added to the `developers` team. At a minimum a maintainer's `npm` account must have `auth-and-write` 2FA configured. |
| 5 | +Only two accounts are permitted access to the `@electron` org on NPM. Specifically `electron-cfa` and `electronhq`. |
8 | 6 |
|
9 | 7 | ### NPM Teams |
10 | 8 |
|
11 | | -There are three teams on NPM, `developers`, `cfa`, `electron`. |
| 9 | +There are two teams on NPM, `developers`, and`cfa`. |
12 | 10 |
|
13 | 11 | * `developers` will have `read` access to all packages with the exception of the "electron" package. |
14 | 12 | * `cfa` will have `read/write` on all packages with the exception of the "electron" package. |
15 | | -* `electron` will have `read/write` on **only** the "electron" package. |
16 | | - |
17 | | -The only user in the `electron` team will be the "electron-bot" user. As such the only user with permission to publish the `electron` package should always be "electron-bot". Publishing of this package will be triggered through `sudowoodo`. |
18 | 13 |
|
19 | 14 | The only user in the `cfa` team will be the "electron-cfa" user. As such the only user with permission to publish packages in the `electron` organization should be "electron-cfa". As no humans have publish rights to any of these packages they should all be configured with `semantic-release` and the `@electron/semantic-release-npm-cfa` plugin. For information on how to configure this plugin for use with a new package head over to [`continuousauth/web`](https://github.com/continuousauth/web). |
20 | 15 |
|
| 16 | +## Access to the "electron" package on NPM |
| 17 | + |
| 18 | +The core `electron` package is the one exception to other NPM package rules, namely it is the only old package that we won't ever move into the `@electron` scope and it's the only package that won't be governed by CFA. Instead this package is limited to a third user `electron-nightly` whose only permission is to publish this package. Publishing of this package will be triggered through `sudowoodo`. |
| 19 | + |
| 20 | +At no point should any human have access to the `electron` NPM package. |
| 21 | + |
21 | 22 | ## Human access to individual packages |
22 | 23 |
|
23 | 24 | No human should ever have publish rights on their personal `npm` account to any Electron NPM package. |
24 | 25 |
|
25 | | -## `electron-bot` credentials |
| 26 | +## New Packages |
| 27 | + |
| 28 | +All new packages should be created by the Infra Working Group in the `@electron` scope per the access restrictions outlined above. |
| 29 | + |
| 30 | +## Credentials |
| 31 | + |
| 32 | +### `electronhq` credentials |
| 33 | + |
| 34 | +Credentials for the "electronhq" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. No other working group or user will be granted access to this account. |
| 35 | + |
| 36 | +### `electron-cfa` credentials |
26 | 37 |
|
27 | | -Credentials for the "electron-bot" user will be stored on the 1-Password, access to these credentials will be controlled by the Releases Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Releases Working Group needs the 2FA secret to approve releases. |
| 38 | +Credentials for the "electron-cfa" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Ecosystem Working Group needs the 2FA secret to approve releases. |
28 | 39 |
|
29 | | -## `electron-cfa` credentials |
| 40 | +### `electron-nightly` credentials |
30 | 41 |
|
31 | | -Credentials for the "electron-cfa" user will be stored on the 1-Password, access to these credentials will be controlled by the Ecosystem Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Ecosystem Working Group needs the 2FA secret to approve releases. |
| 42 | +Credentials for the "electron-nightly" user will be stored on the 1-Password, access to these credentials will be controlled by the Infra Working Group. Access to the 2FA secret for this account will be administered separately to the username/password as most of the Releases Working Group needs the 2FA secret to approve releases. |
0 commit comments