Skip to content

Latest commit

 

History

History
40 lines (21 loc) · 3.07 KB

README.md

File metadata and controls

40 lines (21 loc) · 3.07 KB

🔑 IssueOps based certificate authority for GitHub orgs 🔑

Why

Many administrators would love to restrict cloning and pushing to GitHub repos to certain IPs and auto-expiring keys. GitHub provides that functionality out of the box, but it is quite complicated to setup and maintain:

image

If we had a way to automate all steps by just creating an issue - the ssh certificate authority feature would have a much higher chance to be used.

Try it out

  1. Configure your org to use a ssh certificate authority

image

  1. Create a copy of this repository template in that organization

image

  1. Set your CA private key as SSH_CERTIFICATEsecret

  2. Create an issue with the Sign ssh key issue template which will trigger the issue ops sign ssh key workflow

image

  1. Profit

🔒 Bonus encryption / decryption IssueOps workflow 🔒

In a first iteration, we experimented with generating ssh keys from scratch and send them encrypted to the user. We abandoned this idea for signing already uploaded ssh keys. A leftover from our experiments is an IssueOps encryption workflow that can be triggered by using the Encrypt and share content issue template and encrypts any content in the issue description with the public ssh keys of the specified recipient (with a comment how to decrypt):

image

For encryption/decryption, the portable, lightweight encryption tool age is used, which could either be used directly from this repo template (Windows, Linux, Mac) or build/installed from scratch.

🎁 Second bonus - Encrypted Winterfest parcels 🎁

For GitHub Winterfest - we designed a third IssueOps workflow that is very similar to the encryption based one just that it always assumes the issue opener to be the receiver and a configurable secret WINTERFEST_SECRET is used as encrypted payload. It also comes with a festive issue template. Have fun trying it out.