-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
📖 Move token discussion out of main README. (#1279)
* Move token discussion out of main README. Now that repo rules work with the default GITHUB_TOKEN, there's little need to recommend them. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify what works means. Signed-off-by: Spencer Schrock <sschrock@google.com> * Update docs/authentication/classic-token.md Co-authored-by: Pedro Kaj Kjellerup Nacht <pedro.k.night@gmail.com> Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Pedro Kaj Kjellerup Nacht <pedro.k.night@gmail.com>
- Loading branch information
1 parent
8d9d91b
commit bc7834e
Showing
3 changed files
with
57 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# "Classic" Personal Access Token (PAT) Requirements and Risks | ||
Certain features require a Personal Access Token (PAT). | ||
We recommend you use a fine-grained token as described in [Authentication with Fine-grained PAT](/docs/authentication/fine-grained-auth-token.md). | ||
A "classic" PAT also works, but we strongly discourage its use. | ||
|
||
Due to a limitation of the "classic" tokens' permission model, | ||
the PAT needs [write permission to the repository](https://docs.github.com/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes) through the `repo` scope. | ||
**The PAT will be stored as a [GitHub encrypted secret](https://docs.github.com/actions/security-guides/encrypted-secrets) | ||
and be accessible by all of the repository's workflows and maintainers.** | ||
This means another maintainer on your project could potentially use the token to impersonate you. | ||
If there is an exploitable bug in a workflow with write permissions, | ||
an external contributor could potentially exploit it to extract the PAT. | ||
|
||
The only benefit of a "classic" PAT is that it can be set to never expire. | ||
However, we believe this does not outweigh the significantly higher risk of "classic" PATs compared to fine-grained PATs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# Authentication with Fine-grained PAT (optional) | ||
|
||
For repositories that want to detect their classic Branch Protection rules, or webhooks, we suggest you create a fine-grained Personal Access Token (PAT) that Scorecard may use for authentication. | ||
|
||
1. [Create a fine-grained Personal Access Token](https://github.com/settings/personal-access-tokens/new) with the following settings: | ||
- Token name: `OpenSSF Scorecard Action - $USER_NAME/$REPO_NAME>` | ||
(Note: replace `$USER_NAME/$REPO_NAME` with the names of your organization and repository so you can keep track of your tokens.) | ||
- Expiration: Set `Custom` and then set the date to exactly a year in the future (the maximum allowed) | ||
- Repository Access: `Only select repositories` and select the desired repository. | ||
Alternatively, set `All repositories` if you wish to use the same token for all your repositories. | ||
- Repository Permissions: | ||
* `Administration: Read-only`: Required to read [Branch-Protection](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) settings. | ||
* `Metadata: Read-only` will be automatically set when you set `Administration` | ||
* `Webhooks: Read-only`: (Optional) required for the experimental [Webhook](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) check. | ||
|
||
**Disclaimer:** Scorecard uses these permissions solely to learn about the project's branch protection rules and webhooks. | ||
However, the token can read many of the project's settings | ||
(for a full list, see the queries marked `(read)` in [GitHub's documentation](https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#administration)). | ||
|
||
"Classic" tokens with `repo` scope also work. | ||
However, these carry significantly higher risks compared to fine-grained PATs | ||
(see ["Classic" Personal Access Token (PAT) Requirements and Risks](/docs/authentication/classic-token.md)) | ||
and are therefore strongly discouraged. | ||
|
||
![image](/images/tokenscopes.png) | ||
|
||
2. Copy the token value. | ||
|
||
3. [Create a new repository secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) with the following settings (**Warning:** [GitHub encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) are accessible by all the workflows and maintainers of a repository.): | ||
- Name: `SCORECARD_TOKEN` | ||
- Value: the value of the token created in step 1 above. | ||
|
||
Note that fine-grained tokens expire after one year. You'll receive an email from GitHub when your token is about to expire, at which point you must regenerate it. Make sure to update the token string in your repository's secrets. | ||
|
||
4. When you call the `ossf/scorecard-action` in your workflow, pass the token as `repo_token: ${{ secrets.SCORECARD_TOKEN }}`. |