github-as-code icon indicating copy to clipboard operation
github-as-code copied to clipboard
verified publisher icon ipdxco

Experimental support for GitHub token authentication

Open infinisil opened this issue 9 months ago • 0 comments

Summary

Implements experimental support for authentication using personal access tokens directly.

Why do you need this?

This comes from the desire to be more fine-grained in the permissions given to the github management automation, see https://github.com/NixOS/org/pull/99#issuecomment-2840227204.

E.g. With GitHub Apps, there's no way to give both the "manage teams" permission without also the "remove org owners" permission. Similarly, the "manage repos" permission also comes with the "remove repos" permission. only what's required.

In comparison, with a personal access token of a user, you can give that user specific access levels on the repos it needs access to, or only add it to specific teams it needs to manage.

What else do we need to know?

For now, personal access tokens are limited to team member management, because unless you make the user an org admin, you run into problems for pretty much any other functionality.

DRI: myself

Reviewer's Checklist

  • [ ] It is clear where the request is coming from (if unsure, ask)
  • [ ] All the automated checks passed
  • [ ] The YAML changes reflect the summary of the request
  • [ ] The Terraform plan posted as a comment reflects the summary of the request

infinisil avatar May 20 '25 22:05 infinisil