RavenPy icon indicating copy to clipboard operation
RavenPy copied to clipboard
verified publisher icon CSHS-CWRA

Update the CSHS-CWRA Personal Access token policy to allow for Fine Grained Tokens

Open Zeitsperre opened this issue 1 year ago • 5 comments

In order to add some necessary token for running actions, I need to be able to create a Token Request as a member of CSHS-CWRA. These tokens are used for running workflows and performing automated actions on behalf of a user.

The organization does not currently allow for these requests, and I need to be able to add some tokens to this repo before closing #386.

@analytophile could you enable this on the CSHS-CWRA organization? For more information: https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization

Steps:

  • In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
  • Next to the CSHS-CWRA, click Settings.
  • In the left sidebar, under Personal access tokens, click Settings.
  • Under Fine-grained personal access tokens, select:
    • Allow access via fine-grained personal access tokens
  • Click Save.

Zeitsperre avatar Jul 17 '24 12:07 Zeitsperre

@analytophile

Hi James, it looks like there are some changes I need to perform in RavePy for a new release. Would you happen to have time to look into this issue?

Thanks!

Zeitsperre avatar Sep 17 '24 20:09 Zeitsperre

seems more steps are required.

The next options to allow or deny are: Require approval of fine-grained personal access tokens Restrict access via personal access tokens (classic)

Do you know if either or both of these should be allowed or denied? Or whether there are any important ramifications of this decision?

analytophile avatar Sep 18 '24 15:09 analytophile

All good.

On Ouranosinc, I've disabled the classic personal access tokens, since they give users a lot of (too much) control.

The classic tokens can be made to act effectively like a second user (which is way too much power), while the fine-grained tokens are much more limited in scope. I also think it makes more sense to set these tokens (or renew them) every year, which is the case for the fine-grained tokens (classic tokens can be made without an expiration date). From what I can see, the classic tokens are being shifted away from, while the new method is being adopted as the standard.

For the approvals, that's more up to you. My plan is to add one or two tokens here that will run a bot that does a few helpful things (bumping versions, adding issues to projects, etc.). If I ask for approval, you'll get a message to allow or deny the request. It's probably a good idea to manually approve requests (that's what I've set for us as well).

Zeitsperre avatar Sep 18 '24 15:09 Zeitsperre

Thanks - it's been enabled!

analytophile avatar Sep 18 '24 19:09 analytophile

@analytophile The requests have been sent for your approval. Thank again!

Zeitsperre avatar Sep 19 '24 16:09 Zeitsperre

This has been implemented.

Zeitsperre avatar Nov 08 '24 16:11 Zeitsperre