Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move away from personal access tokens #62

Open
TheAssassin opened this issue Jun 16, 2020 · 1 comment
Open

Move away from personal access tokens #62

TheAssassin opened this issue Jun 16, 2020 · 1 comment

Comments

@TheAssassin
Copy link
Contributor

Personal access tokens cannot be limited to single projects. This is really insecure. A working workaround is to create bot users per project (this is generally a good idea). PR is on the way to clarify that.

Someone should however investigate whether it's possible to use alternative authentication methods of the GitHub API, e.g., something OAuth2 based. Those tokens can be limited to projects/organizations.
TheAssassin added a commit to TheAssassin/uploadtool that referenced this issue Jun 16, 2020
@TheAssassin
Add more notes on security
c7a9f2a 
The README proposes a very unsafe setup. This PR at least documents the problems

CC probonopd#62.
@TheAssassin TheAssassin mentioned this issue Jun 16, 2020
Open
@probonopd
Copy link
Owner

probonopd commented Jul 30, 2020
edited
Loading

Do you know how to implement this? And how would e.g., Travis CI then use uploadtool?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@probonopd @TheAssassin