DecisionUse dedicated accounts for service integrations

accepted

Service integrations that use personal accounts tie the function of the service with the person's engagement with the project.

Tying the normal operation of services to a person's engagement makes it more difficult for developers to roll off from a project successfully. It also increases risk of breaking the client's service integrations when developers don't remember to transition the integrations to another account.

Examples of these services include: GitHub, Circle CI, Tugboat, Jira, and Slack.

Decision

When integrating services together always use a dedicated account for the integration credentials instead of a person's individual account.

Implementation

Depending on the client, valid implementations include:

  • A dedicated email address and account per project or service, with credentials stored in a shared password manager. This e-mail address should be owned by the client i.e. not an @lullabot.com address.
  • A Slack email address (this can be obtained by going to Channel Details / Integrations). Again, this should be an e-mail address owned by the client that won't disappear when Lullabot rolls off the project.
  • For services that support it, a project access token (instead of a personal access token).

Don't use account aliases to register multiple bots for the same service like projectname+ted.lasso@lullabot.com, as spam filtering on the service side is likely to block account creation.

Consequences

Rolling off a person will not have a side-effect on continued operations. Automated actions in service integrations will not seem like they are performed by a person.

Andrew Berry, David Burns, Marcos Cano, Mateu Aguiló Bosch, Sally Young, Salvador Molina Moreno

Decided on