Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plans for this action given the new official actions/create-github-app-token? #99

Open
MPV opened this issue Oct 20, 2023 · 9 comments
Open
Assignees

Comments

@MPV
Copy link

MPV commented Oct 20, 2023

The readme in this repo links to an old version of the docs:
https://web.archive.org/web/20230115194214/https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app

...which have now been updated here:
https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app

...to use the new official action:

...which now in a few weeks seems to have gained the equivalent feature set (and hopefully stays maintained/improved).

Just thought I'd raise this issue to surface any thoughts on how these two actions relate to each other.

There also seems to be a bunch of others in the same field:

@gr2m
Copy link

gr2m commented Oct 31, 2023

👋🏼 just wanted to say hi, I'm one of the maintainers of the new https://github.com/actions/create-github-app-token. Our main motivation to create an official action is to not use a 3rd party action for this sensitive functionality as part of our internal efforts to make GitHub itself more secure. I'm also a maintainer of @octokit and wanted us to create an action that doesn't use third party dependencies, as changes are hard to review for consumers given that the final code is a compiled single file that consists of the action's code as well as all their dependencies.

I'm happy to help contribute best practices back to this action, I see that you already implemented the invalidation of a the token in a post step.

Thank you so much for creating this great action, I've been using it for a long time across many projects ❤️

Let me know if you have any further questions

@tibdex
Copy link
Owner

tibdex commented Oct 31, 2023

Thanks for your comment Gregor. It would be nice to bring the official action to feature parity with this one. I could then deprecate/archive this one. These inputs are not yet supported by the official action. Do you plan on adding support for them?

changes are hard to review for consumers given that the final code is a compiled single file that consists of the action's code as well as all their dependencies.

The docs also mentions using ncc to compile the action's code to a single file.

Besides, I explained in #41 why the way this action is published provides the best supply chain security. Other approaches such as "commit the node_modules and package-lock.json" are worst since, if I was an attacker, I could have manually changed some file under node_modules and it would be hard for any reader to realize it. @gr2m, do you agree?

I'm happy to help contribute best practices back to this action

Which best practices do you have in mind?

@gr2m
Copy link

gr2m commented Oct 31, 2023

These inputs are not yet supported by the official action. Do you plan on adding support for them?

The permissions for sure, that's been planned since the beginning. I can't say about the other ones yet. Could you point us to why you implemented the retrieval mode? I assume it's to make creating the installation access token more efficient without the need to lookup the installation first, but I'm not yet sure if it's worth adding the complexity

Besides, I explained in #41 why the way this action is published provides the best supply chain security

I agree it's the right approach, we also compile to a single file for actions/create-github-app-token. We just try to limit the amount of code that gets compiled into it by using lower-level @octokit packages, and ideally no 3rd party components in the dependency tree at all, but we are not quite there yet.

Which best practices do you have in mind?

None that you haven't addressed in your action yet I think

@tibdex
Copy link
Owner

tibdex commented Nov 2, 2023

Could you point us to why you implemented the retrieval mode?

Yes, it was asked in the tickets closed by #84.

@gr2m
Copy link

gr2m commented Nov 3, 2023

Thank you for sharing the context!

Unless I miss something, we already implemented what was requested in #76 by only providing with.owner (example)

Was there a separate request for implementing the retrieval using installation ID?

@tibdex
Copy link
Owner

tibdex commented Nov 3, 2023

Unless I miss something, we already implemented what was requested in #76 by only providing with.owner (example)

Yes, it looks like the same feature with a different API.

Was there a separate request for implementing the retrieval using installation ID?

Yes: #17.

I believe it's the last feature that differentiates this action from yours.

@gr2m
Copy link

gr2m commented Nov 3, 2023

Yes: #17.

Hmm that sounds like they want to create a JWT instead of an installation access token?

I believe it's the last feature that differentiate this action from yours.

Yes I think so. I think we'll sit this one out and wait for people to come up with their use cases before we go down that path though.

Thanks again for sharing all these insights, much appreciated

@cliffchapmanrbx
Copy link
Contributor

I just commented in the other action that my PR #43 adding support for alternate GITHUB_API_URL values is a blocker for us to migrate.

klutchell added a commit to product-os/flowzone that referenced this issue Dec 19, 2023
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
klutchell added a commit to product-os/flowzone that referenced this issue Dec 19, 2023
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
klutchell added a commit to product-os/flowzone that referenced this issue Dec 19, 2023
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
klutchell added a commit to product-os/flowzone that referenced this issue Dec 19, 2023
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
klutchell added a commit to product-os/flowzone that referenced this issue Dec 20, 2023
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
klutchell added a commit to product-os/flowzone that referenced this issue Jan 2, 2024
This deprecates support for the token_scope input for custom
actions which wasn't used anywhere anyway.

It also deprecates support for the installation_id input as
the installation will be derived from the repo owner.

The old token action is still in use to enable auto-merge where
custom token scopes were still required. This will be removed
in the future when custom permissions are supported by the new
action.

See: tibdex/github-app-token#99
See: actions/create-github-app-token#3
Resolves: #790

Change-type: major
Signed-off-by: Kyle Harding <[email protected]>
@gr2m
Copy link

gr2m commented Jan 27, 2024

I just commented in the other action that my PR #43 adding support for alternate GITHUB_API_URL values is a blocker for us to migrate.

We shipped the feature to set a custom github-api-url now: https://github.com/actions/create-github-app-token?tab=readme-ov-file#github-api-url

jeffwidman added a commit to dependabot/fetch-metadata that referenced this issue Mar 21, 2024
Improve security by switching to the official GitHub action
for managing app tokens. More [details](tibdex/github-app-token#99 (comment)).

The `repositories` key is safe to remove because per
the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories):

> If owner and repositories are empty, access will be scoped to only the current repository.
jeffwidman added a commit to dependabot/dependabot-core that referenced this issue Mar 21, 2024
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)).

The default scope is limited to only this repo per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories):

> If owner and repositories are empty, access will be scoped to only the current repository.
jeffwidman added a commit to dependabot/fetch-metadata that referenced this issue Mar 21, 2024
Improve security by switching to the official GitHub action
for managing app tokens. More [details](tibdex/github-app-token#99 (comment)).

The `repositories` key is safe to remove because per
the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories):

> If owner and repositories are empty, access will be scoped to only the current repository.
jeffwidman added a commit to dependabot/dependabot-core that referenced this issue Mar 21, 2024
Improve security by switching to the official GitHub action for managing app tokens. More [details](tibdex/github-app-token#99 (comment)).

The default scope is limited to only this repo per the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories):

> If owner and repositories are empty, access will be scoped to only the current repository.
tekumara added a commit to tekumara/gh-doctor that referenced this issue May 11, 2024
tekumara added a commit to tekumara/gh-doctor that referenced this issue May 11, 2024
because it has better error messages on failure and
tibex/github-app-token will eventually be deprecated
see tibdex/github-app-token#99
tekumara added a commit to tekumara/typos-lsp that referenced this issue Jun 7, 2024
antoineco added a commit to deviantony/docker-elk that referenced this issue Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants