I'm an administrator for an organization (call it 'foo') that has a few hundred repositories.
I frequently get emails from Github like this:
Subject: [GitHub] A new public key was added to foo/bar
Body: The following SSH key was added to the foo/bar repository by baz:
If you believe this key was added in error, you can remove the key and disable
access at the following location: (snip)
Upon investigation, I think these are actually deploy keys being added. I'm not sure why the email doesn't include the words "deploy key" anywhere, but whatever.
I don't care whether deploy keys are added to individual repos, is there any way to stop these notifications? Note that while I'm part of the foo organization, I'm not specifically a member of or watching the bar repo.
You can manage your notifications in the following way:
click on yor profilepicture --> settings --> personal settings --> notifications
Thanks for reaching out! Yep, adding a deploy key will send a notification to all organization owners.
This is to make sure that owners are aware of any deploy keys created in their repositories, since removing from the organization the user who added the key will still allow them to access the repository with the deploy key. It currently isn't possible to opt-out from those emails for this reason.
thanks for the information.
however, this mechanism is probably not useful for a bigger organization, where it isn't really possible for the owners to have overview over "member turnover" and which repos would need to be checked etc.
btw, are there any way to see list of deploy keys for the org all at once?
I too am finding this more annoying than useful. Would love to see a way to opt out. In the meantime, probably just going to set up an email filter.
Hi @lee-dohm, I accidentally replied to the top comment, so I am replicating my comment in a reply to you.
We have several hundred repositories. We are currently adding automation to securely attach new keys to repositories and store them in SSM, so that only CI has access to them. Additionally, the keys will be rotated with some regularity (e.g., 7 days). That would be 1000+ emails per week for us.
So, it would be extremely useful to be able to turn these notifiactions off, or at least disable them from being sent if the deploy key had a certain prefix name or was added via the API.
It also seems a bit odd that I cannot turn these off given that I can create a full control access token, and not have notifications go out to other admins for that.