Will a github token leak when running github actions - github

I'm running Github actions workflow in a private repo, and it pushes changes in a public repo. I'm providing my GitHub token in the private repo for the workflow github actions. Will my token leak in my public repo .git?
Can somebody clarify this? I'm don't have knowledge of security things :(

The Automatic token authentication page uses a GITHUB_TOKEN secret, which should, as its name suggests, remains... a secret.
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow.
You can use the GITHUB_TOKEN to authenticate in a workflow run.
The GITHUB_TOKEN secret is a GitHub App installation access token.
You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository.
The token's permissions are limited to the repository that contains your workflow.
So you should not need to use your own GitHub token, only the one generated by GitHub Action.

Related

GitHub Actions: Downloading release files from a different repository

I have Repo A (private, in an organization), which has a GitHub Actions workflow that builds and bundles my application into a tar.gz file and includes it as an artifact in a Release.
I have Repo B (also private, same organization) which, in the GitHub Actions workflow, needs to download the release artifacts from a specific release of Repo A, and do other things with it.
What is the modern best-practices approach to enabling this cross-repo release access within an organization? Last time I did this, we had to use a Personal Access Token for a machine user that we created, which is all sorts of bad (machine user GitHub account, long-lived secret, etc.). GitHub has since added a lot of capability with the built-in GITHUB_TOKEN secret, with OIDC support within Actions, etc. Is there a better way to achieve what I'm trying to do?
If you are using a Linux Docker container, you can try and use dsaltares/fetch-gh-release-asset which is meant to:
downloads an asset from a GitHub release and provides some release details as output.
Private repos are supported.
You can find an example here.
But it does use a GitHub token which defaults to ${{ secrets.GITHUB_TOKEN }}: make sure it is a GitHub App installation access token.

Use Github Package Registry without authtoken

In my node project I would like to use both NPM and Github registries. The reason is that I use some packages as request or async, but I've made my own packages which are stored on Github Packges Registry.
I've tried to add #USERNAME:registry=https://npm.pkg.github.com/ in .npmrc, but I still need an authtoken. There is the problem: as it's for a continuous integration I don't want to use a token linked to a specific user.
So what could I do ?
Edit: I'm using Circle CI for my workflows.
You can use the default GITHUB_TOKEN associated with the repository that your workflow runs in.
If you are using a GitHub Actions workflow, you can use a GITHUB_TOKEN to publish and consume packages in the GitHub Package Registry without needing to store and manage a personal access token.
ref: https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#authenticating-to-github-package-registry
If you are not using GitHub Actions and running your build in a different CI tool then I don't think you have any choice but to use a Personal Access Token tied to a user account.

AWS CodeBuild Github webhook does not update status of PullRequest

Using the official guide, created build project to run tests on GitHub PullRequests creation. The webhook is correctly shown on GitHub, builds are being triggered in Codebuild, however, the build status is not shown in Github, despite the option Report build status is set true. If I correctly understood the tutorial, Codebuild has native support of GitHub, and after successful creation of a webhook, the new verification check should be added for PR submission automatically, any suggestions to make this work?
It should work automatically. If builds are triggering but codebuild is not reporting back on the status, then it sounds like the codebuild project no longer has permission to the repo. You could try adding the GitHub source to codebuild again.
"Report build status" actually has no effect when triggered by a webhook, and should always report back in theory (https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html). It's set to false for my project and always updates the pull requests.
Ensure the GitHub user has write access to the repository, and if you're using a Personal Access Token (PAT), ensure the repo:status scope is granted:
Grants read/write access to public and private repository commit statuses. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
(I experienced this issue recently. The PAT had the necessary scopes granted but the GitHub user had read-only access to the repository. Granting the GitHub user write permission solved the problem.)

Jenkins giving Permission denied (publickey) on adding github repo

I am using Jenkins Github plugin and was using public/private key for one repo, which was working alright. But I got problem when I added another repo, because github doesn't allow sharing public key across multiple repos.
So i integrated jenkins using github token (in Jenkins > manage > configure system and service in github) and removed private/public keys in jenkins server and github. Now when I add repo, I get Permission denied (publickey) error (image attached)
How do i integrate multiple github repos with my jenkins server?
Found the problem. There is key attached to account of user who's token was added to jenkins. My assumption was it should not have mattered as token was added. But that's not correct.
Added private keys of user who's token was used, in jenkins server and everything returns to normal
Got hint from Authenticate Jenkins CI for Github private repository

How to give the push access to github repo without giving the github account credentials?

I wrote the tool which use the one github repo as a cloud storage.
I need to give the write (push) access for this tool to one github repo, but I do not want to use the github user credentials (user name and password), because anyone can use it to logon to github and change the credentials or delete the repo.
You can generate an OAuth authorization for your specific app.
See an example here: it supposed you have registered you app in your account.