Replace GitHub Personal Access Tokens with Org-Rotated Tokens

TL;DR

The use of personal access tokens (or PATs) has been detected in workflows at use in this repository.

Due to various security concerns around the use of personal access tokens in GitHub Actions, you must onboard to the new centralized token rotations service and replace all use of personal access tokens with a new, organization-provided rotated token.

Why is this being asked?

Personal access tokens in use at Shopify for GitHub Actions provide an unnecessarily large blast radius.

They are typically not rotated on any set schedule.
They are vulnerable to developer churn (i.e. a developer leaves Shopify; their personal access tokens become unauthorized for use at Shopify)
They incorrectly identify an actor that uses that token as the creator’s account, making it hard to audit and attribute usage correctly.

Replacing the use of personal access tokens with organization-provided tokens will provide the following benefits:

The responsibility of managing secrets and tokens falls to the centralized service, rather than individual teams/developers.
They will be automatically expired and rotated without developer overhead.
They are not impacted by developer churn.
The security auditing and logging capabilities are greatly improved for use in triaging incidents.

What will happen if it doesn't get done within the expected timeframe?

A security audit will be performed, and teams will be asked to explain why personal access tokens are in continued use.

When does it need to get done?

At the latest, this should be done before 2022-08-31.

I have questions/concerns about this

Please contact the code-scale team using Slack.

Shopify / shipit-engine