Security concerns with the GH_TOKEN

[mleister97]

I would really like to draw attention to this issue & reopen it again

#5688

Currently, it is not possible to use different keys/tokens for publishing and reading private repositories, except by manually modifying the token using the setFeedURL function. For security reasons, I kindly request you to reopen the issue.

[mleister97]

For everyone who is interested, this is currently the only way to use 2 different tokens:

    autoUpdater.setFeedURL({
      provider: 'github',
      repo: 'xxx',
      owner: 'xxx',
      private: true,
      token: 'read_token',
    });

.env

GH_TOKEN=publish_token

package.json
Do not include any tokens here!

"scripts": {
  "deploy": "ts-node ./.erb/scripts/clean.js dist && npm run build && dotenv -- electron-builder build --publish always",
},
...
"build": {
  ...,
  "win": {
   ...,
  "publish": {
        "provider": "github",
        "repo": "xxx",
        "owner": "xxx",
        "private": true,
        "channel": "latest",
        "releaseType": "release"
      }
  }
}

Attention: This key can read any repositoriers in your account as this is an personal access token.

READ-TOKEN

WRITE-TOKEN

[NordlingDev]

@mleister97 I'm concerned about the exposure of token in client side code, even if it's a read only token. You explicitly set the token inside your client basically. Doesn't matter if it's in an env variable or not, the final bundle will still contain the token. So anyone can go through the file and find the token, right?

I can't think of any workaround either... Is there really no other way to do it?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.