Migrate from User PATs to Org-Owned GitHub App Authentication #623
Description
Summary
We are currently using user-created Personal Access Tokens (PATs) for cross-repository and automation authentication within our GitHub organisation.
This creates operational and security risks because PATs:
- Are tied to individual user accounts
- Break if the user leaves the organisation
- Are often over-scoped
- Are long-lived credentials
- Are harder to audit and rotate
We should migrate to an organisation-owned GitHub App for machine-to-machine authentication.
Goals
- Remove all user-created PATs from repositories and organisation secrets
- Introduce a single org-owned GitHub App for automation within
datum-cloud - Generate short-lived installation tokens dynamically in workflows
- Improve audibility and security posture
- Reduce dependency on individual accounts
Proposed Approach
1️⃣ Create an Organisation GitHub App
- Owner:
datum-cloud - Repository access: Selected repositories (principle of least privilege)
- Permissions defined based on automation needs, e.g.:
- Contents (read/write as required)
- Pull Requests
- Actions
- Metadata (read-only)
2️⃣ Install the App on Required Repositories
Install only on repos that require:
- Cross-repo cloning
- Workflow dispatch
- PR creation
- Release automation
- Package publishing
- Other CI/CD interactions
3️⃣ Store App Credentials as Org-Level Secrets
Add the following under:
Org Settings → Secrets and variables → Actions → Organization secrets
APP_IDAPP_PRIVATE_KEY
Scope them only to repositories that require access.
4️⃣ Update Workflows to Generate Tokens Dynamically
Replace PAT usage with:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}