Auth within an organization? #26759
-
What is the best practice for authenticating operations between repos in an organization ? (e.g. one repo does an environment protected automation that populates data in another repo) I know PAT from a high-level member of the organization does the trick, but this looks like a workaround, not a solution. Is there a way to create some sort of an organization-wide access token (similar to PATs), to be used as a secret for a GiHA workflow, but without attaching it to any member rather attaching it to the organization itself ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
One way is to create a GitHub app for this. It can be
You would need to store a private key for this app as an org secret and use it in workflows to generate a short-lived token. Any operations made with this token will be on behalf of that app/bot because it has its own identity on GitHub. It’s more involved to set up than using a PAT, but it definitely provides much more control and security. |
Beta Was this translation helpful? Give feedback.
One way is to create a GitHub app for this. It can be
You would need to store a private key for this app as an org secret and use it in workflows to generate a short-lived token. Any operations made with this token will be on behalf of that app/bot because it has its own identity on GitHub.
It’s more involved to set up than using a PAT, but it definitely provides much more control and security.