Shopify / shipit-engine

Deployment coordination
https://shopify.engineering/introducing-shipit
MIT License
1.42k stars 146 forks source link

Replace GitHub Personal Access Tokens with Org-Rotated Tokens #1280

Closed Archetypically closed 2 years ago

Archetypically commented 2 years ago

TL;DR

The use of personal access tokens (or PATs) has been detected in workflows at use in this repository.

Due to various security concerns around the use of personal access tokens in GitHub Actions, you must onboard to the new centralized token rotations service and replace all use of personal access tokens with a new, organization-provided rotated token.

Why is this being asked?

Personal access tokens in use at Shopify for GitHub Actions provide an unnecessarily large blast radius.

Replacing the use of personal access tokens with organization-provided tokens will provide the following benefits:

What will happen if it doesn't get done within the expected timeframe?

A security audit will be performed, and teams will be asked to explain why personal access tokens are in continued use.

When does it need to get done?

At the latest, this should be done before 2022-08-31.

I have questions/concerns about this

Please contact the code-scale team using Slack.

Archetypically commented 2 years ago

Quick audit reveals no PATs in use here; looks like my automation cast too-broad of a net.