Plans for this action given the new official actions/create-github-app-token?
#99
Comments
|
👋🏼 just wanted to say hi, I'm one of the maintainers of the new https://github.com/actions/create-github-app-token. Our main motivation to create an official action is to not use a 3rd party action for this sensitive functionality as part of our internal efforts to make GitHub itself more secure. I'm also a maintainer of @octokit and wanted us to create an action that doesn't use third party dependencies, as changes are hard to review for consumers given that the final code is a compiled single file that consists of the action's code as well as all their dependencies. I'm happy to help contribute best practices back to this action, I see that you already implemented the invalidation of a the token in a post step. Thank you so much for creating this great action, I've been using it for a long time across many projects ❤️ Let me know if you have any further questions |
|
Thanks for your comment Gregor. It would be nice to bring the official action to feature parity with this one. I could then deprecate/archive this one. These inputs are not yet supported by the official action. Do you plan on adding support for them?
The docs also mentions using ncc to compile the action's code to a single file. Besides, I explained in #41 why the way this action is published provides the best supply chain security. Other approaches such as "commit the
Which best practices do you have in mind? |
The permissions for sure, that's been planned since the beginning. I can't say about the other ones yet. Could you point us to why you implemented the retrieval mode? I assume it's to make creating the installation access token more efficient without the need to lookup the installation first, but I'm not yet sure if it's worth adding the complexity
I agree it's the right approach, we also compile to a single file for
None that you haven't addressed in your action yet I think |
Yes, it was asked in the tickets closed by #84. |
Yes, it looks like the same feature with a different API.
Yes: #17. I believe it's the last feature that differentiates this action from yours. |
Hmm that sounds like they want to create a JWT instead of an installation access token?
Yes I think so. I think we'll sit this one out and wait for people to come up with their use cases before we go down that path though. Thanks again for sharing all these insights, much appreciated |
|
I just commented in the other action that my PR #43 adding support for alternate |
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: tibdex/github-app-token#99 See: actions/create-github-app-token#3 Resolves: #790 Change-type: major Signed-off-by: Kyle Harding <kyle@balena.io>
We shipped the feature to set a custom |
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)). The `repositories` key is safe to remove because per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories): > If owner and repositories are empty, access will be scoped to only the current repository.
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)). The default scope is limited to only this repo per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories): > If owner and repositories are empty, access will be scoped to only the current repository.
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)). The `repositories` key is safe to remove because per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories): > If owner and repositories are empty, access will be scoped to only the current repository.
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)). The default scope is limited to only this repo per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories): > If owner and repositories are empty, access will be scoped to only the current repository.
because it has better error messages on failure and tibex/github-app-token will eventually be deprecated see tibdex/github-app-token#99
The readme in this repo links to an old version of the docs:
https://web.archive.org/web/20230115194214/https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app
...which have now been updated here:
https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app
...to use the new official action:
...which now in a few weeks seems to have gained the equivalent feature set (and hopefully stays maintained/improved).
Just thought I'd raise this issue to surface any thoughts on how these two actions relate to each other.
There also seems to be a bunch of others in the same field:
The text was updated successfully, but these errors were encountered: