Is this approach really "better" than PAT/FPAT ? #218
Unanswered
ViacheslavKudinov asked this question in Q&A
Replies: 0 comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
i'm trying to understand why this is "better" than static PAT when to use App ID and Private key on this Action.
If these credentials are leaked (let say same as PAT/FPAT) anyone still can use it to generate Token to access the repositories (or other resources, depends on scope) where GitHub application is installed.
There is no restriction that App and its private key belongs/can be used only on the GitHub organization where this create-github-app-token runs,
means if i have App ID and Private key of the app from organization "A", i still can generate token by running this Action on org "B" to access repositories from "A", where this app is installed.
By setting
skip_token_revoketotrueit will give the chance to keep it active for some time which could be enough or even to continue to generate new token by running the Action several times.Did i miss anything how to prevent this to happen?
Beta Was this translation helpful? Give feedback.
All reactions