Skip to content

ci: use GitHub app for ephemeral tokens #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
v1v merged 1 commit into from
Sep 20, 2024
Merged

ci: use GitHub app for ephemeral tokens #160

v1v merged 1 commit into from
Sep 20, 2024

Conversation

@v1v
Copy link
Member

@v1v v1v commented Sep 19, 2024

What does this PR do?

Use the GitHub app to generate the required ephemeral tokens with the least permissive principle.

Why is it important?

  • Finer-grained tokens with Service Machine accounts are required to rotate the secrets manually.
  • GitHub app to generate temporary tokens is the advanced approach to avoid the above
  • Document what the GH workflow requires to run in terms of access
  • GitHub Token with Permissions does not trigger GitHub builds

Implementation details

Use tibdex/github-app-token with the required permissions and the repository scope
Configure the GH_TOKEN with the ephemeral token

@v1v v1v requested a review from a team September 19, 2024 13:35
@v1v v1v self-assigned this Sep 19, 2024
@v1v v1v merged commit b7c42d7 into elastic:main Sep 20, 2024
@v1v v1v deleted the feature/replace-OBLT_CLI_GITHUB_TOKEN branch September 20, 2024 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@reakaleek reakaleek reakaleek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@v1v v1v

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@v1v @reakaleek