[Feedback tracking] Fine-grained personal access tokens #36441
Replies: 187 comments 302 replies
-
Will there be a way to create tokens that don't expire for CI? |
Beta Was this translation helpful? Give feedback.
-
Expiry means I can't set it and forget it, and that's the entire point of granular access tokens - namely, the risk is zero because the permissions are tightly scoped. Forced expiry also means folks will just come up with trivial ways to reissue new ones, which will defeat the purpose anyways. It's like a forced password reuse policy - it seems like it helps security, but it actually harms it. I hope you'll reconsider forced expiry. |
Beta Was this translation helpful? Give feedback.
-
A missing feature for me is being able to authenticate against GitHub packages. Currently (buried in the docs for packages):
https://docs.github.com/en/packages/learn-github-packages/introduction-to-github-packages This is compounded by the fact that apps also can't install packages. And also by the confusing UI whereby we can add a package scope to ☝️ That text sounds like you you can authenticate against GitHub packages! This is overall a great change and thanks for your hard work getting it into beta! 🚀 |
Beta Was this translation helpful? Give feedback.
-
I can't seem to find the proper permission to allow pushing to protected branches... Semantic release then commits the package.json, the lockfile and a CHANGELOG.md to the main branch everytime it creates a new release. I tried to add multiple write permissions additionally to the Is there a way to achieve this with the current permissions or is maybe an additional (not yet existing) permission needed to make this work? |
Beta Was this translation helpful? Give feedback.
-
The mandatory expiration makes sense for human-oriented use cases - e.g. testing some scripts, locally running programs which interact with GitHub API etc. I have had a number of tokens I created in the past which I only discovered as still active some months or years later. However, for tokens which are used by machines - such as in a CI - the manual rotation seems like unnecessary overhead, as was already mentioned. Contrary to some suggestions made here though, I would say that instead of just allowing no expiry, it would make sense to somehow allow establishment of a trust relationship, such that GitHub backend does the token rotation and humans don't even need to ever see the token, let alone copy and paste it - hence further decreasing the chance of leaks. This would make sense IMO at least for the common case when the token is used within GitHub Actions. GitHub already essentially does that with the default I don't know what the best UX for cross-org and cross-repo tokens is, but perhaps there's some inspiration to take from impersonation mechanisms in GCP, AWS or HashiCorp Vault? Active trust relationships is probably something users would still need to be reminded of regularly, but at least it takes a lot of the overhead away and arguably makes it safer by not exposing the token to humans. |
Beta Was this translation helpful? Give feedback.
-
I'm wondering, is there/will there be a way to create a fine-grained token for a repository one has collaborator permissions on? Such repositories don't seem to appear in the repository list, and no separate entries on the resource owners list are shown for such repositories. |
Beta Was this translation helpful? Give feedback.
-
Ahhh I just spent half of my day trying to use a fine-grained token to download a private package; I overlooked the note with the list of unsupported API endpoints in this section of the documentation. I didn't figure it out until I saw the bullet points at the end of this thread! That was pretty clearly user error, but I'm posting this to see if this was a common mistake others encountered, in which case it could be useful for User Experience to take another look and see if this info could be made more prevalent. For example, maybe it could be presented outside of a box or in a red "warning" box. Or the bullet point could be less verbose (separate out the link to the supported endpoints); or the sub-list items could exclude the extra words "REST API to manage", making them easier to process. But I think my main source of confusion was that when I was reading too quickly and I saw "only work with personal access tokens (classic)", I thought it was going to be a list of things that only work with PATs. So it might be clearer to frame it instead as things that "are not supported for fine-grained personal access tokens". |
Beta Was this translation helpful? Give feedback.
-
Hi! If so, is it planned for Q1 2023 as part of |
Beta Was this translation helpful? Give feedback.
-
Loving the feature 🎉 Of the listed things on the roadmap, multi-org support and packages (GHCR) API would be very useful! Regarding the token expiry, is there some way to get notified ahead of time? |
Beta Was this translation helpful? Give feedback.
-
I have personal access token (classic) with the following scope:
I use this token in our organisation to manage Repository access for our GitHub Apps. How should I use my fine-grained token with same "scope rights"? From support I got answer that The add a repository to an app installation endpoint doesn't support fine-grained personal access tokens. Would be perfect, if GitHub will add this endpoint in the future. |
Beta Was this translation helpful? Give feedback.
-
Love the approach! Any plan support pre-filled links like with classic access tokens? This is what I'm talking about: |
Beta Was this translation helpful? Give feedback.
-
Could this be extended to SSH keys as well? My work keys don't really need access to my personal repositories, and vice versa. I'd also like the ability to use GnuPG authentication subkeys for SSH without adding them separately, but that's another issue. Scoping them on a subkey-by-subkey basis would still be an improvement. |
Beta Was this translation helpful? Give feedback.
-
I'm happy and applaud GitHub for exploring options for fine grained access. However, I don't think fgPATs are a sufficient solution for an enterprise product like GitHub. The current implementation/model of fgPATs will never be granular enough for everyone's use case. This feedback page is full of requests going "could x be granted without granting y". This is especially the case for enterprise users where many different roles throughout an organization need various levels of access. Currently GitHub has many scattered forms of "access control":
The standard in the industry is RBAC, combined with various forms of principal accounts (eg. User, Team, Service account). For GitHub this could be a really flexible and strong access control model. Google Clouds fine grained permissions system that combines into roles is a good example. I would hope to see GitHub take all the unrelated spread out "access control features". And combine them up into a unified permission system where actual fine-grained access can be granted to various principals. |
Beta Was this translation helpful? Give feedback.
-
Is there an API for creating these access tokens? Been playing with Hashicorp Vault and would love to use these tokens to build a Vault Secrets Engine plugin. |
Beta Was this translation helpful? Give feedback.
-
I'm not able to download repo tarballs using a fine grained token with urls like the followiing don't work:
while this works:
|
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
This is so awful! Have no idea where to go to generate a token! |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Another feedback: |
Beta Was this translation helpful? Give feedback.
-
I would like the description field for the token to be larger and/or that the request reason sent to the administrator is accessible after approval. The flow for requesting a token limits the description of the token to 120 characters making describing the token purpose to refer back to later more difficult. The justification for approval of the token allows for greater detail but doesn't get persisted in the admin dashboard for the organisation to review why a token was granted in the first instance. This is displayed when you approve the token, however, the justification for requesting the token is not available to view after it is approved. Having the long-form justification information helps to be kind to your future self in understanding why a token was created or granted and where it is used and keeps the information accessible within GitHub. |
Beta Was this translation helpful? Give feedback.
-
Hi, Thank you in advance. |
Beta Was this translation helpful? Give feedback.
-
Downloading a private repository with read-only permissions, with |
Beta Was this translation helpful? Give feedback.
-
Hi there, The GET /repos/{owner}/{repo}/labels endpoint appears to be broken with fine-grained PATs. I have a fine-grained PAT with sufficient permissions, as described here - and additional permissions that I added for testing - but I am getting an internal server error:
A classic PAT works fine:
The issue appears to be with this endpoint specifically, as other endpoints work:
I'm fine using a classic PAT for now, but it'd be nice to see this fixed :) |
Beta Was this translation helpful? Give feedback.
-
Hi! Is there a plan to support: [GET /repositories/{repository_id}](Fetch Repository By ID) I know this is an "undocumented" endpoint. However, it seems with the PAT it denies the abillity to query a repository it should have access to by ID. The only workaround I see is to list all repos that the token has access too, loop through, and search for a specific ID. |
Beta Was this translation helpful? Give feedback.
-
When will this feature available for self-hosted enterprise github server? |
Beta Was this translation helpful? Give feedback.
-
I am not sure if I am asking in correct place but could you please tell me how to check if my access token generated via Github App ("ghu_") has specific permissions? I would like to authenticate to Vault via github token comes from Github App and I am wondering if it's possible in easy way |
Beta Was this translation helpful? Give feedback.
-
We recently setup a FG PAT to use for GH audit log ingestion to Splunk (via the Splunk add-on for GH). A couple pieces of feedback:
|
Beta Was this translation helpful? Give feedback.
-
Hi all,
I have a script to check the conformance of all the repositories of my organization to some security policies. In particular, I need to check that all GitHub teams having access to the repositories are all linked to an AD group. This works nicely with a basic PAT but not with a fine-grained PAT and I would like to switch to fine-grained PAT and forbid the use of basic PAT so that I can control how we access our repositories via PAT. Fine-grained PAT look very interesting but I do not want to loose the opportunity to run conformance checks with a script. The end point I'm targetting is Thanks |
Beta Was this translation helpful? Give feedback.
-
Given a user with
However step 1 seems to be only possible if token has
Together with some new permission which would allow to create a fork and then a PR from that fork (without being able to modify any existing PRs made directly on repo on other forks). Commenting on the PR created with the token would also be nice. Note that using classic token of a user with |
Beta Was this translation helpful? Give feedback.
-
Hi, perhaps this question is not suppose to be asked here, but I am confused. I wanted to use GitHub API in order to show my repositories on my personal portfolio. I have created the fine-grained PAT and everything works perfectly, but the problem is that the key is exposed in browser tools. (I've failed at setting my own proxy server, using Netlify or other solutions I've found). Is it possible to add a restriction to the token, for example, that the token can only be accessed from a specific URL? |
Beta Was this translation helpful? Give feedback.
-
This topic serves as an area for feedback and discussion on the new fine-grained personal access tokens format, launched on October 18th. It includes more permissions, mandatory expirations, and organization + repository scoping. You can find more details in the blog post and the documentation.
There are some limits to fine-grained PATs that we'll be addressing in the coming months:
Recently, we've added:
There are also some APIs that do not yet support the fine-grained permission model, that we'll be adding support for in time:
Please let us know what you'd love to see in this new token type, what worked for you, and what didn't. Thank you!
Beta Was this translation helpful? Give feedback.
All reactions