Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the ReadMe to use Github App generated Tokens #39

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Change the ReadMe to use Github App generated Tokens #39

wants to merge 3 commits into from

Conversation

KingBain
Copy link

@KingBain KingBain commented Dec 20, 2024
edited
Loading

As mentioned in #2, using the GITHUB_TOKEN will block other GitHub Actions from running on pull request triggers.

This creates an issue, particularly for workflows like CodeQL, which rely on pull request triggers to function properly. While you previously recommended using fine-grained PAT tokens, they come with their own set of challenges.

I’m proposing an updated approach: using a GitHub App token instead.

Why Use a GitHub App Token?

  • Short-Lived Tokens: Tokens are automatically issued and expire after a short duration, reducing security risks.
  • Fine-Grained Permissions: Permissions are scoped and can be assigned only to the necessary operations.
  • Better Integration: GitHub Apps are more aligned with modern GitHub workflows and provide exemptions for branch protection rules.

Here’s a video that explains the benefits of GitHub App for action tokens more effectively

Steps to Set Up the GitHub App

  1. Create the GitHub App:
    • Go to your GitHub Organization settings and create a new GitHub App.
  2. Generate a Private Key:
    • Once the app is created, generate a private key for authentication.
  3. Assign Permissions:
    • Grant the following permissions:
      • Metadata: Read access
      • Content: Read and write access
      • Pull Requests: Read and write access
  4. Install the App:
    • Install the app on all repositories or specific repositories where this action will run.
  5. Save Variables and Secrets:
    • Save the App ID as a repository or organization variable.
    • Save the private key as a repository or organization secret.

Additional Notes

  • If you have branch protection rules, ensure the GitHub App has an exemption to bypass those rules.
  • Update the action with the newly created variable and secret.

Here’s an example of what a successful workflow run looks like with this updated configuration:

image

Let me know if you have any questions or if further adjustments are needed!

@KingBain KingBain marked this pull request as ready for review December 21, 2024 05:06
@KingBain
Copy link
Author

ping @zhiyelee for visibility

@zhiyelee
Copy link
Collaborator

@KingBain Thank you very much for the contribution! Have you verified this setup with your branch?

zhiyelee
zhiyelee approved these changes Dec 23, 2024
View reviewed changes
Copy link
Collaborator

@zhiyelee zhiyelee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your valuable contribution! Once @KingBain confirms that the flow has been tested, I will merge the PR.

@coveralls
Copy link

Pull Request Test Coverage Report for Build 12442441290

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 99.315%
Totals Coverage Status
Change from base Build 10656013409: 0.0%
Covered Lines: 104
Relevant Lines: 104
💛 - Coveralls

@KingBain
Copy link
Author

KingBain commented Dec 24, 2024
edited
Loading

Thank you for your valuable contribution! Once @KingBain confirms that the flow has been tested, I will merge the PR.

The team of devs that I work with has been using it for the last couple days and its been working.👍
https://github.com/ssc-sp/datahub-portal/actions/workflows/refresh-stale-prs.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhiyelee zhiyelee zhiyelee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KingBain @zhiyelee @coveralls