search

actions / setup-dotnet

Set up your GitHub Actions workflow with a specific version of the .NET core sdk
MIT License
942 stars 458 forks source link

Github APPs Auth Tokens #416

Closed RossAFlood closed 1 year ago

RossAFlood commented 1 year ago

Description: Describe your proposal. Support for using Github APPs Auth Tokens

Justification: Justification or a use case for your proposal. I can gen a Github App Auth token but I get a forbidden response back when trying a dotnet restore after setup If I use the Token in a curl it works fine

Using user PATs for package write rights bleeds the access of repos between orgs and isnt considered a good practice.

What other auth methods would be available if we didnt want to use a user PAT

IvanZosimov commented 1 year ago

Hi, @RossAFlood 👋 Thanks for the issue! I'd like to draw your attention to this part of the README.md. Instead of using PAT it's also possible to use GITHUB_TOKEN. Information about GITHUB_TOKEN you can find here, permissions for it can be found here.

RossAFlood commented 1 year ago

Thanks for getting back @IvanZosimov I am aware of the GITHUB_TOKEN and it works fine for the pulling packages published by the repo that generates the GITHUB_TOKEN. As discussed here It doesnt work with other packages from other repositories

GITHUB_TOKEN to publish packages associated with the workflow repository. a personal access token (classic) with at least read:packages scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).

This is the issue with our projects, certain repos need to pull artifacts from other repositories.

Seems most dotnet applications of a mild architectual complexity would fall into this scenario, forcing bleed over of sensitive information outside the control of the organization. This is why we are looking for more secure route than a machine user talked about here espescially since 2fa is going to forced on any user making commits on the 5/15/2023 we want to move away from machine users using deploy keys or PATs

This is why we are moving to github apps as authentication in our CI/CD pipelines. We also tried to just use the cli command but that also demands a username/password and doesn't allow an auth token here

Is it safe to assume that the PAT is the only way to restore and publish packages to the Github Package Registry for dotnet applications with this sort of dependency on artifacts from other repositories

RossAFlood commented 1 year ago

Hi @IvanZosimov I have found that I can give the access of a specific package to specific repositories in the GPR UI. Then the GITHUB_TOKEN will have the scope to see those packages not tied to the workflows repository."

This works out well for security purposes as a developer would need to request the access if they dont have direct access to the GPR and we can manage who can pull a package into what repository on a fine grain level. This works for me and closing this issue.

IvanZosimov commented 1 year ago

Thanks for the feedback, @RossAFlood! I hope your solution will be helpful for other customers.