doc: add a powers.md to document who has access

Initial stab at covering who has access to what.

Refs: #798 (comment)

Author: gibfahn

README.md

@@ -37,6 +37,8 @@ missing please open an issue.
 - Rich Trott [@trott](https://github.com/trott)
 - Kunal Pathak [@kunalspathak](https://github.com/kunalspathak)
 
+Note that different groups within the build WG have different access. For more
+information see [access.md][].
 
 
 ## Infrastructure Providers
@@ -202,3 +204,4 @@ Build and test orchestration is performed by [Jenkins][21].
 [21]:   https://jenkins.io/
 [pivotal]: https://www.pivotalagency.com.au/
 [securo]: http://securogroup.com/
+[access.md]: ./doc/access.md

doc/access.md

@@ -0,0 +1,64 @@
+# Access to Node.js Infrastructure
+
+Documents which groups have access to which Infra assets. Note that links to
+`@nodejs/` teams are not visible to people who aren't in the Nodejs
+organisation, so those links may not work for you. The [secrets repo][] is also
+secret...
+
+## Machine Access
+
+For a list of machines, see the [inventory.yml][]. Secrets are stored in the
+[secrets repo][], which [@nodejs/build][] (and [org owners][]) have access to.
+Secrets are individually encrypted, so access to the repo does not itself
+give access to any of the secrets within. For more info see the repo's README.
+
+### Test machines
+
+[@nodejs/build][] have root access to the test CI machines (`test-*`).
+
+### Infra and Release machines
+
+A subsection of build members have access to infra and release machines
+(`infra-*` and `release-*`). The current list is:
+
+- Johan Bergström [@jbergstroem](https://github.com/jbergstroem)
+- João Reis [@joaocgreis](https://github.com/joaocgreis)
+- Michael Dawson [@mhdawson](https://github.com/mhdawson)
+- Rod Vagg [@rvagg](https://github.com/rvagg)
+
+## Infra Access
+
+There are a number of other infra assets maintained by the Build WG, accesses
+are as follows:
+
+### [ci.nodejs.org](ci.nodejs.org)
+
+- [@nodejs/collaborators][] have access to run Node core tests.
+
+- Run and configure access for other jobs is controlled by the teams who own them
+(for example, the [post-mortem jobs][] are run by [@nodejs/post-mortem][], and
+configured by [@nodejs/post-mortem-admins][]. For more info see the [Jenkins
+access doc][].
+
+- [@nodejs/build][] have machine access (the ability to add, remove, and
+configure machines).
+
+- [@nodejs/jenkins-admins][] have admin access.
+
+### [ci-release.nodejs.org](ci-release.nodejs.org)
+
+- [@nodejs/release][] have access to run builds.
+
+- [@nodejs/jenkins-admins][] have admin access.
+
+[@nodejs/build]: https://github.com/orgs/nodejs/teams/build/members
+[@nodejs/collaborators]: https://github.com/orgs/nodejs/teams/collaborators/members
+[@nodejs/jenkins-admins]: https://github.com/orgs/nodejs/teams/jenkins-admins/members
+[@nodejs/post-mortem-admins]: https://github.com/orgs/nodejs/teams/post-mortem-admins/members
+[@nodejs/post-mortem]: https://github.com/orgs/nodejs/teams/post-mortem/members
+[@nodejs/release]: https://github.com/orgs/nodejs/teams/release/members
+[Jenkins access doc]: /doc/process/jenkins_job_configuration_access.md
+[inventory.yml]: /ansible/inventory.yml
+[org owners]: https://github.com/orgs/nodejs/people?utf8=%E2%9C%93&query=%20role%3Aowner
+[post-mortem jobs]: https://ci.nodejs.org/view/post-mortem/
+[secrets repo]: https://github.com/nodejs/secrets