Sharing a token across an org

We have published a private rubygem and I’d like for that gem to be added to a Gemfile in another private repository that is used by around 60+ devs. I don’t want those 60+ devs to have to generate an access token to download this rubygem.

Is there a way for use a shared token and commit that that our private repository?

As an example, sidekiq-pro does this by simply adding a .bundle/config to the repository with the following contents:


BUNDLE_GEMS CONTRIBSYS COM: “shared:token”

Totally understand that this is not the most secure since it requires manaully rotating the token if a developer leaves but it is that path that requires the least amount of friction.

The way we solved a similar problem was by creating a machine user account, adding it to our org, and then generating a personal access token from that account.  

Then, in actions that need to be able to access other private org repos, we would set that PAT as an action secret. Then inside your action, use that PAT to set up an authorized environment that can access org private repos.

In our case, we were authorizing Terraform, which references modules via https git, so all we needed to do was set up a netrc file prior to accessing other private repos.  This can be done with a simple run action or slightly less verbose action we wrote to do just this:

https://github.com/little-core-labs/netrc-creds

There is a GITHUB_TOKEN secret automatically added to all actions by default, though I found this token to only be scoped to access the repo the action is associated with, not the rest of the org.  It would be cool if github made the scopes on this token customizable to read the rest of the org, but thats not the case yet.

Hope that helps.

2 Likes

You can now set org secrets, available to all actions. Very cool. Still no terraform provider for that feature yet though.