Skip to content
This repository has been archived by the owner on Apr 21, 2021. It is now read-only.

thepwagner/secret-garden

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

.github/workflows

.github/workflows

 
 

action

action

 
 

config

config

 
 

token

token

 
 

vendor

vendor

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Secret Garden

Hello, this is a tech demo of a solution to provide more control over GitHub tokens used in GitHub Actions.

Now a similar thing is supported by GitHub, that doesn't require these hacks. Use that instead!

It relies on an embedded GitHub App, and uses the create_access_token API call to create GitHub API tokens. These tokens can have specific permissions, and include multiple repositories with the same owner. Tokens are stored as GitHub Actions Secrets, so workflows can use them like secrets.GITHUB_TOKEN.

Tokens are valid for 1 hour, so it's envisioned this Action be invoked to refresh them every 15-30 minutes.

WARNING: Unlike the built-in GITHUB_TOKEN, events triggered by these tokens will trigger Actions themselves. This could cause an infinite loop, e.g. by pushing to a workflow triggered by push.

Setup

  1. Do not use this. Take the idea and build a better version. If you just want to try it out:

  2. Fork this repo.

  3. Create a New GitHub App. Permissions must include:

    • Contents: Read
    • Metadata: Read
    • Secrets: Read & write

    The app must also have all the permissions you want to issue tokens with, see GITHUB_TOKEN permissions for a safe selection.

  4. Note the "App ID" of the app created. Store in your fork as Actions repository secret SG_APP_ID.

  5. Create and download a private key for the app. Copy the file's contents and paste as Actions repository secret SG_APP_PK.

  6. Install the app on your account/organization, note the "Installation ID" in the URL bar. Store as Actions repository secret SG_INSTALL_ID.

  7. Customize the yaml in the config/ directory.

  • /config/secrets.yaml defines ORG-wide tokens
  • /config/${repo}/secrets.yaml defines secrets for a single repository
  1. Use "workflow dispatch" to test generating and storing tokens. 🤞.
  2. Experiment with the tokens.

About

This was a half-day professional development project.

The name alludes to the "seeds" from the config/ directory growing into secrets across the organization's repositories. A small set of "gardeners" could manage access through this one repository.

Plus teh Jerry McGuire memes - it really "completes" the story of securing Actions usage.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages