Add the ability to use Deploy Keys to deploy Homebrew taps #2027
Labels
enhancement
New feature or request
Milestone
Comments
|
Yes, but the issue is that PA Token are too difficult to "restrict" in scope to a single repo, whereas Deploy Keys are highly specific to a repo and thus super useful for deployment. |
|
My understanding is that it would require us to change our impls to clone/commit/push the tap repo, as today we only use the github API. Probably won't happen anytime soon as its a big rewrite on otherwise stable code. Will keep in mind for v2 though. Thanks! |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem?
Using a Personal Access Token (PAT) with
reporights to deploy the Homebrew taps is a security concern, see #2026Describe the solution you'd like
Since Github does not allow to create PAT that are restricted to a few repository, but allows adding Deploy Keys to specific repositories, it might be interesting to have a way to provide a SSH Deploy Key instead of a Token for Homebrew deployment as was proposed in #1643 and for the same reasons.
Describe alternatives you've considered
We can use Machine User accounts to workaround the security issue, but it adds a significant extra burden (with the need to create and secure an extra account).
We can use a very hackish way using Github Apps Installation token, since these can be restricted to specific repo, it appears.
Additional context
I'll open a discussion on the topic shortly.
The text was updated successfully, but these errors were encountered: