Create an account just for token creation

[maelle]

as mentioned by @assignUser #123 (comment)

Advantages

• no access to other repos
• if using an address like [email protected] and well named tokens, several people would be notified of tokens needing to be renewed.

[mpadge]

This gained a boost in importance this week, with the discovery that GitHub must have somehow changed their token handling. Up until now, the main token shared between pkgcheck and pkgcheck-action (called "RRT_TOKEN") was a simple repo-level token that could be created by anyone with admin access, yet did not need to be a personal token. That recently stopped working, and the use of the token here:

pkgcheck/.github/workflows/docker.yaml

Lines 50 to 54 in 86bb654

	- name: Trigger pkgcheck-action build
	if: ${{ github.event_name != 'pull_request' }}
	uses: actions/github-script@v6
	with:
	github-token: ${{ secrets.RRT_TOKEN }}

now only works with a personal token copied over to the equivalent token values here and in pkgcheck-action. I'll update the docs straight away to indicate this. The process will then definitely be easier and more robust if we had an account for token creation.

[maelle]

why not use ropenscibot then?

[mpadge]

Yep, my thought too. We would then need to ensure that at least one person with admin there was also watching notifications from pkgcheck.

[maelle]

what sort of notifications would be relevant? the token expiration?

[mpadge]

Yes. Technically they'd just have to watch whatever issue was given here:

pkgcheck/.github/workflows/monthly.yaml

Line 26 in 0728387

issue_number: 123,

which is where the token expiration notifications come. Shall we set that up then?

[mpadge]

Description of tokens added in this ropensci-review-tools commit, including a section on "Assigning 'RRT_TOKEN' updates to a different person." Maybe that's actually sufficient for now? What do you think @maelle @assignUser ❓

Rendered section on tokens is here, with description of maintance-handover here.