nodejs
Use account-based API tokens for Cloudflare
Account API tokens are now available and I think we should switch to them.
Iirc we're currently using User API tokens. These are tied to the user that created them. If the user leaves the account, they are automatically revoked. The user that created them is also the only user that can manage the token (i.e. to roll it or delete it).
Account API tokens are tied to the account itself, regardless of who created it.
To quote the Cloudflare dash:
Account API Tokens Create API tokens for service authentication and bucket access that are tied to the entire account. These remain active even when you leave the organization, making them ideal for production systems. (recommended)
User API Tokens Create API tokens for service authentication and bucket access specific to your user account. These become inactive if you leave the organization, making them ideal for personal access or development work.
Permissions the token will need:
| Resource Type | Name | Permission |
|---|---|---|
| Account | Workers Scripts | Edit |
| Account | Workers R2 Storage | Read |
(also, it'd be nice to have Edit for Workers KV Storage re #159, but not necessary atm).
Ideally this is done not on a Node.js release day and is tested after swapping the secret on GitHub by manually triggering a release via dispatching the deploy workflow.
cc @nodejs/build since someone with access will need to generate the new token
+1 to swapping, the status worker is already using an account token. Someone with super admin access to the account needs to create it.
it shoudnt need super admin, IIRC, that role's only special ability is to add or remove other super admins.
