search

gethinode / hinode

A clean documentation and blog theme for your Hugo site based on Bootstrap 5
https://gethinode.com
MIT License
141 stars 51 forks source link

Support GitHub apps to create pull requests #1135

Open markdumay opened 3 weeks ago

markdumay commented 3 weeks ago

Problem or enhancement idea

Hinode requires a personal access token (PAT) to automatically create pull requests that trigger a release. This is used by the action that updates Hugo dependencies (e.g. .github/workflows/mod-update.yml). The default GITHUB_TOKEN does not suffice, at it cannot trigger other workflows. Although the PAT approach works, it is quite tedious to maintain for a growing number of repositories. When expired, each token has to be manually recreated and stored as secret. In addition, having these tokens is a potential security risk, as abuse is difficult to detect.

Proposed solution

Following the advise from Peter Evans, a GitHub App can be created for the sole purpose of generating tokens for use with GitHub actions. These tokens can be used in place of GITHUB_TOKEN or a Personal Access Token (PAT). GitHub App generated tokens are more secure than using a PAT because GitHub App access permissions can be set with finer granularity and are scoped to only repositories where the App is installed.

Alternatives

The current approach uses personal access token (PAT) - which works - but requires more maintenance and is less secure.

vinser commented 3 weeks ago

To publish my Hinode docs site on GitHub Pages I use slightly modified standard GitHub Action workflow https://github.com/vinser/flibgolite-docs/blob/master/.github/workflows/hugo.yaml

May be it will help