Inform people that repository collaborators can read PATs or discourage people from using them

[brxxn]

Inside the README, people are encouraged to use a PAT to access repository content, but this adds a risk to the repository owner's account, allowing people to read any private repository if they get access to it. As stated in the GitHub Documentation, anyone with write access can read the PAT and all private repositories a user has access to.

People should be discouraged from using PATs and should be encouraged to keep the action in their within their own repository to prevent repository collaborators from having more access to a user's account than they should.

[eine]

For completeness, deployment keys should be usable instead of PATs for most contexts. For example, this commit shows the two procedures (token or key): umarcor/issue-runner@4a57a1a

[JohannesHoppe]

Hello, I manage a library that right now encourages people to use a personal access token.
see https://github.com/angular-schule/angular-cli-ghpages
I know that a PAT with repository access is a serious security risk, but in the past this was the best option.

My last information is, that the GH_TOKEN won't work to push to a new branch, see angular-schule/angular-cli-ghpages#73 (comment).
Could somebody tell me what are the best practices now? I'm right now working on an article, regarding this topic. Of course, I do not want to recommend anything wrong:

PR for article angular-schule/website-articles#7 (will be published at https://angular.schule/blog)

You can see a preview of the article here.

[ericsciple]

@brxxn It looks like https://github.com/<org>/<repo>/settings/secrets provides guidance. And also provides a link to https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

[ericsciple]

@andymckay for thoughts?

[eine]

My last information is, that the GH_TOKEN won't work to push to a new branch,

I'm not sure about this... I have found deployment keys to be required in order to push to a different repo, but not for a different branch in the same repo. See, e.g. https://github.com/eine/tip/blob/master/.github/update_gha-tip.sh.

The issue with gh-pages is NOT that you cannot push. Actually, you can. However, the website is not updated. In other words, you will see the commits pushed to the branch, but nothing in https://github.com/*/*/deployments. See actions/toolkit#247.

Hence, for now, you can use GHA and the default GITHUB_TOKEN to keep a gh-pages branch up to date. However, for the website to be updated, you need to:

git checkout -b gh-pages origin/gh-pages
git commit --amend --reset-author
git push origin +gh-pages
git checkout master
git branch -D gh-pages

For completeness, this is how to use a deployment key instead: https://github.com/VUnit/vunit/blob/master/.github/workflows/docs.yml

[andymckay]

@andymckay for thoughts?

There's a definite risk there. Might be worth calling out in the README to make it clearer.

[ericsciple]

i added a link in the description, to the help topic about secrets