-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modern authentication #236
Comments
Heya David, Thanks for the suggestion. Greenkeeper is already a GitHub Application, and uses short lived tokens for its main work. For lockfiles however, our users need to be able to put in access tokens for repos and orgs that are not the one that our Greenkeeper App is not enabled on., that’s why we went with that route. Best |
Thanks for the reply. I'm impressed by the quick and technically on-spot
answer.
Except, I don't understand the whole picture. So, sorry, I have some
follow-on questions:
1. is this double-negative what you meant to say?
"are *not* the one that our Greenkeeper App is *not* enabled on."
2. If we gave the *greenkeeper* github app access to more repos, would this
issue go away for us?
3. I have no experience with Greenkeeper, and I am not a product developer.
Can you point me at a document that explains the big picture?
4. If I understand correctly, the *lockfile* code uses a PAT because it is
not integrated into the main *greenkeeper* application. is that right?
5. If really, truly, there is no alternative to a long lived PAT, what is
best practice?
In this case, I would normally do something like:
- create a github pseudo-user named something like "bot-greenkeeper"
- a github pseudo-team named "BotGreenkeeper" (We only give privs to teams,
not users. that's how we roll these days)
- give that team the necessary privs
- pull a PAT for that pseudo-user
- install it in greenkeeper-lockfile
I guess we could address the long-lived issue by rotating this PAT on a
calendar schedule, say every 6 months.
Is there a better or easier way?
…On Fri, May 17, 2019 at 3:19 AM Jan Lehnardt ***@***.***> wrote:
Heya David,
Thanks for the suggestion. Greenkeeper is already a GitHub Application,
and uses short lived tokens for its main work. For lockfiles however, our
users need to be able to put in access tokens for repos and orgs that are
not the one that our Greenkeeper App is not enabled on., that’s why we went
with that route.
Best
Jan
—
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#236?email_source=notifications&email_token=AHQOUCURTXNCYYUWLJ5VITTPV2BBJA5CNFSM4HM5UGEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVUL2LA#issuecomment-493403436>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHQOUCUDX3SBNTLNTRGPMOTPV2BBJANCNFSM4HM5UGEA>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
in order to use greenkeeper with lockfiles, it's required to generate a Personal Access Token.
This is not modern practice. These tokens are long lived.
It would be better to use the latest GitHub auth technology, "GitHub Applications"
The text was updated successfully, but these errors were encountered: