You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Classic PATs should be replaced with fine-grained PATs in both development and production environments. PATs provide the values of:
GITHUB_TOKEN (used by OpenSAFELY Jobs)
GITHUB_WRITEABLE_TOKEN (used by OpenSAFELY Interactive)
In both cases, replacing classic PATs means agreeing and documenting a name, expiration period, repository access, and permissions. (The permissions documentation suggests that fine-grained PATs can be used to access REST API endpoints; I believe they are used by ebmdatalab/metrics to access GraphQL endpoints, too.) There are two relevant sections in DEVELOPERS.md:
"Rotating the read only GitHub token"
"Rotating the OSI GitHub token"
In a change to the existing development setup, each developer should create their own fine-grained PAT. A fine-grained PAT should also be created by the opensafely-readonly user (credentials in Bitwarden), for use in production. PATs should no longer be stored in Bitwarden.
Although orthogonal to this issue, credentials for the development OAuth application should continue to be stored in Bitwarden. The purpose of this application should be documented in DEVELOPERS.md: it provides the values of SOCIAL_AUTH_GITHUB_KEY and SOCIAL_AUTH_GITHUB_SECRET.
Changing PATs and documenting the development OAuth application means that scripts/dev-env.sh can be removed.
GITHUB_TOKEN_TESTING
The value of GITHUB_TOKEN_TESTING, which is a classic PAT, should also be replaced with a fine-grained PAT. The value of this PAT is used by CI. See "Verified Fakes" in TESTING.md for more information.
The text was updated successfully, but these errors were encountered:
Classic PATs should be replaced with fine-grained PATs in both development and production environments. PATs provide the values of:
GITHUB_TOKEN
(used by OpenSAFELY Jobs)GITHUB_WRITEABLE_TOKEN
(used by OpenSAFELY Interactive)In both cases, replacing classic PATs means agreeing and documenting a name, expiration period, repository access, and permissions. (The permissions documentation suggests that fine-grained PATs can be used to access REST API endpoints; I believe they are used by ebmdatalab/metrics to access GraphQL endpoints, too.) There are two relevant sections in
DEVELOPERS.md
:In a change to the existing development setup, each developer should create their own fine-grained PAT. A fine-grained PAT should also be created by the opensafely-readonly user (credentials in Bitwarden), for use in production. PATs should no longer be stored in Bitwarden.
Although orthogonal to this issue, credentials for the development OAuth application should continue to be stored in Bitwarden. The purpose of this application should be documented in
DEVELOPERS.md
: it provides the values ofSOCIAL_AUTH_GITHUB_KEY
andSOCIAL_AUTH_GITHUB_SECRET
.Changing PATs and documenting the development OAuth application means that
scripts/dev-env.sh
can be removed.GITHUB_TOKEN_TESTING
The value of
GITHUB_TOKEN_TESTING
, which is a classic PAT, should also be replaced with a fine-grained PAT. The value of this PAT is used by CI. See "Verified Fakes" inTESTING.md
for more information.The text was updated successfully, but these errors were encountered: