Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manually managing GitHub PATs is challenging and fragmented #194

Open
Jongmassey opened this issue Jun 25, 2024 · 9 comments
Open

Manually managing GitHub PATs is challenging and fragmented #194

Jongmassey opened this issue Jun 25, 2024 · 9 comments

Comments

@Jongmassey
Copy link
Contributor

Jongmassey commented Jun 25, 2024
edited
Loading

Currently, metrics requires three GitHub PATs across three organisations: opensafely, opensafely-core, and ebmdatalab.

There are other bennett projects which require GitHub PATs to work, e.g. job-server.

AIUI the current process is for the developer that is working on a change that adds the need for a PAT to generate the required PAT in their own account (with a long expiry date) and to add it to the right place(s) to make things work in production.

Additional to this, the PATs for ebmdatalab require admin approval.

A recent change removed widespread admin permissions from developers and broke this process.

Having these important tokens scattered across potentially multiple developer accounts feels fragile, especially if those accounts are disabled/the owner leaves the Bennett institute.

Should we manage these centrally/generally better?
@tomodwyer
Copy link
Member

Bitwarden have a tool called Secrets Manager which may make some of this management easier.

@Jongmassey
Copy link
Contributor Author

Additional context:

Following the revocation of my admin permissions on the opensafely org, I could still create a PAT that nominally had read permissions on the organisation codespaces (which requires admin permissions), but any attempt to use it would give a 403 error.

Nice footgun that I shot myself with

@sebbacon
Copy link

Another option to evaluate/consider: https://cloud.google.com/secret-manager/docs/overview

@madwort
Copy link
Contributor

madwort commented Jun 27, 2024
edited
Loading

is this a duplicate of #67 ? (the upshot of which is - create a machine user & generate a PAT from that?)

@Jongmassey
Copy link
Contributor Author

I think it is. I didn't have visibility of the previous (quite revealing!) Slack thread as it was a ecumenical pipeline matter

@iaindillingham
Copy link
Member

iaindillingham commented Jul 2, 2024
edited
Loading

This issue is related.

@StevenMaude
Copy link
Contributor

Also related to this issue: opensafely-core/interactive-templates#118 (comment)

GitHub's recommendation is to use GitHub Apps, but I don't know how viable that is for these use cases:

If you want to access GitHub resources on behalf of a user or in an organization, or you anticipate a long-lived integration, we recommend building a GitHub App.

@StevenMaude StevenMaude mentioned this issue Jul 10, 2024
Closed
StevenMaude added a commit to opensafely-core/job-server that referenced this issue Jul 11, 2024
@StevenMaude
Modify workflow to run from within job-server repo
d29b6df 
Instead of having interactive-templates create a PR when a new release
is available, check from within this repository on a regular basis.

Having this be triggered as a "pull" notification rather than a "push"
notification is not quite as refined in terms of getting updates.

However, it removes the use of a personal access token. Generally, we're
finding those unwieldy to manage as an organisation: see ebmdatalab/metrics#194.

See opensafely-core/interactive-templates#118 and
opensafely-core/interactive-templates#377 (where this workflow was
almost working in interactive-templates, except for requiring a new
personal access token).
@StevenMaude
Copy link
Contributor

StevenMaude commented Jul 17, 2024
edited
Loading

For what it's worth, because I mentioned this to Lucy after encountering an expired PAT in the interactive-templates repository, the create-pull-request action has a minimal example of using GitHub App tokens in its documentation.

This does require another action on top to generate the token, and I don't know if this satisfies all use cases here (if we need PATs where applications are running), but it might be worth testing out, at least in the case of using GitHub Actions.

⚠️ The documentation links to a third-party action. There is an official action made by GitHub for creating tokens.

While I'm here, Pygithub can manage GitHub App tokens as well.

@StevenMaude
Copy link
Contributor

It would also probably be useful to have a full list of where we're using PATs, if we don't already.

I suspect the most important ones are already listed in the team manual, but I don't think it's exhaustive.

@StevenMaude StevenMaude mentioned this issue Jul 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sebbacon @iaindillingham @madwort @StevenMaude @tomodwyer @Jongmassey