Manually managing GitHub PATs is challenging and fragmented

[Jongmassey]

Currently, metrics requires three GitHub PATs across three organisations: opensafely, opensafely-core, and ebmdatalab.

There are other bennett projects which require GitHub PATs to work, e.g. job-server.

AIUI the current process is for the developer that is working on a change that adds the need for a PAT to generate the required PAT in their own account (with a long expiry date) and to add it to the right place(s) to make things work in production.

Additional to this, the PATs for ebmdatalab require admin approval.

A recent change removed widespread admin permissions from developers and broke this process.

Having these important tokens scattered across potentially multiple developer accounts feels fragile, especially if those accounts are disabled/the owner leaves the Bennett institute.

Should we manage these centrally/generally better?

[tomodwyer]

Bitwarden have a tool called Secrets Manager which may make some of this management easier.

[Jongmassey]

Additional context:

Following the revocation of my admin permissions on the opensafely org, I could still create a PAT that nominally had read permissions on the organisation codespaces (which requires admin permissions), but any attempt to use it would give a 403 error.

Nice footgun that I shot myself with

[sebbacon]

Another option to evaluate/consider: https://cloud.google.com/secret-manager/docs/overview

[madwort]

is this a duplicate of #67 ? (the upshot of which is - create a machine user & generate a PAT from that?)

[Jongmassey]

I think it is. I didn't have visibility of the previous (quite revealing!) Slack thread as it was a ecumenical pipeline matter

[iaindillingham]

This issue is related.

[StevenMaude]

Also related to this issue: opensafely-core/interactive-templates#118 (comment)

---

GitHub's recommendation is to use GitHub Apps, but I don't know how viable that is for these use cases:

If you want to access GitHub resources on behalf of a user or in an organization, or you anticipate a long-lived integration, we recommend building a GitHub App.

[StevenMaude]

For what it's worth, because I mentioned this to Lucy after encountering an expired PAT in the interactive-templates repository, the create-pull-request action has a minimal example of using GitHub App tokens in its documentation.

This does require another action on top to generate the token, and I don't know if this satisfies all use cases here (if we need PATs where applications are running), but it might be worth testing out, at least in the case of using GitHub Actions.

⚠️ The documentation links to a third-party action. There is an official action made by GitHub for creating tokens.

---

While I'm here, Pygithub can manage GitHub App tokens as well.

[StevenMaude]

It would also probably be useful to have a full list of where we're using PATs, if we don't already.

I suspect the most important ones are already listed in the team manual, but I don't think it's exhaustive.