Add ability to authenticate with Deploy Keys and GitHub Apps instead of only Personal Access Tokens #325
Description
Thank you for creating this action! We're looking forward to being able to have private actions without needing to fork out the big bucks for GitHub Enterprise.
From what I can tell from the code, the sole means of authentication with the GitHub repo is via a Personal Access Token. If this is not true, I'd be interested to know how to use this action with a deploy key or GitHub App instead.
From a security perspective, GitHub recommends using Deploy keys or GitHub Apps for cross-repository access instead of PAT's whenever possible:
You should never use personal access tokens from your own account. These tokens grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account. This indirectly grants broad access to all write-access users of the repository the workflow is in. In addition, if you later leave an organization, workflows using this token will immediately break, and debugging this issue can be challenging.
If a personal access token is used, it should be one that was generated for a new account that is only granted access to the specific repositories that are needed for the workflow. Note that this approach is not scalable and should be avoided in favor of alternatives, such as deploy keys.
One alternative that's more secure is to use a GitHub App and sign a GITHUB_INSTALL_TOKEN:
GitHub App tokens
- GitHub Apps can be installed on select repositories, and even have granular permissions on the resources within them. You could create a GitHub App internal to your organization, install it on the repositories you need access to within your workflow, and authenticate as the installation within your workflow to access those repositories.
And they also add the following information about deploy keys, which are most preferred for cross-repo access:
- Deploy keys are one of the only credential types that grant read or write access to a single repository, and can be used to interact with another repository within a workflow. For more information, see "Managing deploy keys."
- Note that deploy keys can only clone and push to the repository using Git, and cannot be used to interact with the REST or GraphQL API, so they may not be appropriate for your requirements.
Moreover, the GitHub documentation describes how to use a GitHub App token to clone a project as follows:
$ git clone https://x-access-token:<token>@github.com/owner/repo.git
I believe this could be enabled by adding a flag to differentiate between PAT tokens and GitHub App Tokens. For PAT, we'd use this code to generate the URL, while for a GitHub App token, we'd use the x-access-token: method shown above:
// Generate repository URL for the action to checkout with PAT
const url = `https://${token}:x-oauth-basic@github.com/${org}/${repo}.git`;
// generate repository URL for the action to checkout with GitHub App Token
const url = `https://x-access-token:${token}@github.com/${org}/${repo}.git`;
I am not yet sure how the clone URL would look with a deploy key, but these steps should help make things more secure so the private action doesn't have access to everything the developer has access to. Hope this information is helpful!