github-action-push-to-another-repository
github-action-push-to-another-repository copied to clipboard
cpina
Support using deploy keys
I see that this action and several actions like it rely on using Personal Access Tokens for write permissions. I don't like to use PATs because (as far as I know) they can't be scoped to a single repo. If they allow write access to one repo, they allow write access to all of your (and all of the organizations you belong to's) repos.
I'm looking to have some kind of authentication that just allows writing from one repo to another single public repo. It seems like GitHub deploy keys would be the way to accomplish this.
This action seems to do just that: https://github.com/leigholiver/commit-with-deploy-key
But it's not widely used/tested.
Your action seems to be the defacto standard for this type of thing, so an option for this would be nice.
I absolutely agree. Using personal access tokens is a major vulnerability. It virtually makes this action unusable in a team setting, because anyone with write access to the repo where PAT is stored as a secret will be able to acquire or even mess with all your private repos via Github Actions. That is why it should not be recommended in the README and there should be a big red warning instead.
Thanks for the link. I was curious whether something like that is possible!
As an alternative (hacky) solution you can create a separate GitHub account and use it solely to generate a PAT, then you can control its access at each repository. E.g., in case of an org it can be thought of as a cross-org deployer bot and it can even have a dedicated email and be the author of the commits that you produce with this action.
Actually it's an even larger security threat, which people with write-access to this action can exploit.
Thanks @vincerubinetti and also to @nikita-volkov for reminding me of the original message. I'm looking at https://github.com/leigholiver/commit-with-deploy-key I will try implementing it using deploy keys. I accept pull requests for this if you had time before me (even without the unit tests; I've been postponing other changes for months because I don't have unit tests for the action yet).
I will also add a warning with the possible workaround.
I will say that I ended up using that leigholiver/commit-with-deploy-key package, and it ended up working fabulously.
I only bring up this issue here because, again, this package seems to be the "defacto". That is, it comes up first on google, whereas the other package was hard to find.
It's possible you don't have to reinvent the wheel if the other package already fills that need. If you think that's the case, I agree it'd be great to put a big bold warning at the top of your readme, referring people to the other package if they want tighter security/scope.
Thanks @vincerubinetti - I've just added a warning in the README. I hope that I can implement it leaving the majority of the logic which would be ideal. I will also refer in the README to the other action for people concerned :-)
New branch available: https://github.com/cpina/github-action-push-to-another-repository/tree/ssh-deploy-key that allows to use the personal access token (for backward compatbility) AND ssh keys.
I will do some more testing hopefully tomorrow, write documentation and merge to "main" (and release next week probably).
And main branch has ssh deploy key support. I will wait a few days before tagging a new release to catch possible problems :-|