Use a GitHub App instead of a PAT in workflow #369
Conversation
A GitHub App is easier for multiple users across the enterprise to manage _and_ grants access to specific repositories and more finely scoped permissions than what is possible with a PAT associated with a user in the organization. We also get to choose a cool name for the app. This app is named "Easy Dynamics OSCAL Automation" which we can rename at any time. It currently only has access to this repository; however, we can trivially grant it access to others.
| # an output. It _does_ register that token as a secret so that it will be | ||
| # filtered from log output automatically | ||
| id: generate-token | ||
| uses: tibdex/github-app-token@c95b1c441a4dacd6d24f231b9697a5f9a04c607e |
There was a problem hiding this comment.
I elected to use a specific commit hash since we are passing the app id and private key to this Action and this is the specific commit that I reviewed when doing so. But we're also passing the generated token to another action that doesn't use a specific hash, so I am happy to change this to just be @v1 instead and to track the latest version.
|
With one approval in place, I went ahead and added the necessary secrets and triggered a |
A GitHub App is easier for multiple users across the enterprise to
manage and grants access to specific repositories and more finely
scoped permissions than what is possible with a PAT associated with a
user in the organization. We also get to choose a cool name for the app.
This app is named "Easy Dynamics OSCAL Automation" which we can rename
at any time. It currently only has access to this repository; however,
we can trivially grant it access to others.