Summary
CLA_ASSISTANT_PAT is a long-lived admin-scoped PAT that bypasses branch protection on every signature commit. Today the expiry is tribal knowledge; no workflow warns before it expires.
Scope
Two-part:
- Document the PAT's scope, expiry, and rotation procedure in SECURITY.md (or a new
docs/secrets.md).
- Evaluate migrating to a fine-grained GitHub App installation token scoped to
contents: write on this repo only. If feasible, open a follow-up issue with the implementation plan.
Acceptance criteria
- Documented rotation procedure exists and is linked from SECURITY.md.
- Scheduled GH Action warns 14 days before the documented expiry date.
- Migration decision recorded (either: implementation issue opened, or rationale for keeping the PAT documented).
Source: devops.
Summary
CLA_ASSISTANT_PATis a long-lived admin-scoped PAT that bypasses branch protection on every signature commit. Today the expiry is tribal knowledge; no workflow warns before it expires.Scope
Two-part:
docs/secrets.md).contents: writeon this repo only. If feasible, open a follow-up issue with the implementation plan.Acceptance criteria
Source: devops.