Security concerns with the GH_TOKEN #5688
Comments
|
That's a great concern. Looks like it is not possible to use separate tokens at this time. I'd be happy to review a PR if you're interested in discussing a solution. |
|
Thank you for your reply mmaietta, I am not good enough to contribute to the project, but I do hope someone out there can see this and fix this issue. |
|
This is not a solution for your issue, but a temporary fix. You may consider using a separate, public repo for your releases (if your original repo is private, which it is). |
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
I agree with this idea in theory. In my opinion, something like this should work:
Sadly this doesn't work right now because electron-builder will completely ignore GH_TOKEN if "token" is specified directly in the configuration files. I know this from trying it out on electron-builder 22.14.5. However... TL;DR: this feature might be impossible until GitHub allows more granularity in token permissions. |
|
I'd rather not use a private repo and that's it. A GH token is very sensible data. |
|
Any updates on this?
Seperate keys would be possible. Please repoen this issue!
|
…token Reference: electron-userland#5688 - Discussion about keeping two separate tokens; one for publishing to Github releases and the other used by the app to make requests for auto-update updates. Now you can set a release token that has write permissions to publish your release. The release token will be used instead of a GH_TOKEN || GITHUB_TOKEN ONLY during publishing. The Github token defined via the Github options or environment variable will still be used as normal. mac: ``` export GITHUB_RELEASE_TOKEN=<my token> ``` I used the Contents permission for a New fine-grained personal access token with "Read and write". "Read-only" for the usual app-update token. So even if the app-update token is inside your app-update.yml its only read-only, yay! (Mac: you can find the app-update.yml by right-click > Show Package Contents > Contents > Resources)
|
The year is 2024, if you're reading this and my PR doesn't make it in then here's the original commit to make use of the code: AndrewEQ@abea7ed |
…ate token (#8173) * [Add] Support for a separate Github release token to the auto-update token Reference: #5688 - Discussion about keeping two separate tokens; one for publishing to Github releases and the other used by the app to make requests for auto-update updates. Now you can set a release token that has write permissions to publish your release. The release token will be used instead of a GH_TOKEN || GITHUB_TOKEN ONLY during publishing. The Github token defined via the Github options or environment variable will still be used as normal. mac: ``` export GITHUB_RELEASE_TOKEN=<my token> ``` I used the Contents permission for a New fine-grained personal access token with "Read and write". "Read-only" for the usual app-update token. So even if the app-update token is inside your app-update.yml its only read-only, yay! (Mac: you can find the app-update.yml by right-click > Show Package Contents > Contents > Resources)
In order to deploy the application and release it on GitHub, my GH_TOKEN requires
package:writescope on, which also gives a person the permission to delete/modify/add files to the private repo. On the other hand, the only privilege I need in the GH_TOKEN for distribution is forpackage:read, which only allows the person to download the packages. Any chance I can use thepackage:writeGH_TOKEN for deployment andpackage:readtoken for the distributed app?Thank you all in advance :D
The text was updated successfully, but these errors were encountered: