Auth within an organization?

What is the best practice for authenticating operations between repos in an organization ? (e.g. one repo does an environment protected automation that populates data in another repo)

I know PAT from a high-level member of the organization does the trick, but this looks like a workaround, not a solution.

Is there a way to create some sort of an organization-wide access token (similar to PATs), to be used as a secret for a GiHA workflow, but without attaching it to any member rather attaching it to the organization itself ?

One way is to create a GitHub app for this. It can be

  • hidden (visible only within the org),
  • have access to all repos in the org or only selected ones,
  • have restricted access permissions

You would need to store a private key for this app as an org secret and use it in workflows to generate a short-lived token. Any operations made with this token will be on behalf of that app/bot because it has its own identity on GitHub.

It’s more involved to set up than using a PAT, but it definitely provides much more control and security.

1 Like