modern authentication

[david-chenevert]

in order to use greenkeeper with lockfiles, it's required to generate a Personal Access Token.

This is not modern practice. These tokens are long lived.

It would be better to use the latest GitHub auth technology, "GitHub Applications"

[janl]

Heya David,

Thanks for the suggestion. Greenkeeper is already a GitHub Application, and uses short lived tokens for its main work. For lockfiles however, our users need to be able to put in access tokens for repos and orgs that are not the one that our Greenkeeper App is not enabled on., that’s why we went with that route.

Best Jan —

[david-chenevert]

Thanks for the reply. I'm impressed by the quick and technically on-spot answer.

Except, I don't understand the whole picture. So, sorry, I have some follow-on questions:

1. is this double-negative what you meant to say? "are not the one that our Greenkeeper App is not enabled on."

2. If we gave the greenkeeper github app access to more repos, would this issue go away for us?

3. I have no experience with Greenkeeper, and I am not a product developer. Can you point me at a document that explains the big picture?

4. If I understand correctly, the lockfile code uses a PAT because it is not integrated into the main greenkeeper application. is that right?

5. If really, truly, there is no alternative to a long lived PAT, what is best practice?

In this case, I would normally do something like:

• create a github pseudo-user named something like "bot-greenkeeper"
• a github pseudo-team named "BotGreenkeeper" (We only give privs to teams, not users. that's how we roll these days)
• give that team the necessary privs
• pull a PAT for that pseudo-user
• install it in greenkeeper-lockfile

I guess we could address the long-lived issue by rotating this PAT on a calendar schedule, say every 6 months.

Is there a better or easier way?

On Fri, May 17, 2019 at 3:19 AM Jan Lehnardt notifications@github.com wrote:

Heya David,

Thanks for the suggestion. Greenkeeper is already a GitHub Application, and uses short lived tokens for its main work. For lockfiles however, our users need to be able to put in access tokens for repos and orgs that are not the one that our Greenkeeper App is not enabled on., that’s why we went with that route.

Best Jan —

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/greenkeeperio/greenkeeper-lockfile/issues/236?email_source=notifications&email_token=AHQOUCURTXNCYYUWLJ5VITTPV2BBJA5CNFSM4HM5UGEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVUL2LA#issuecomment-493403436, or mute the thread https://github.com/notifications/unsubscribe-auth/AHQOUCUDX3SBNTLNTRGPMOTPV2BBJANCNFSM4HM5UGEA .