search

hpc-carpentry / hpc-carpentry.github.io

The HPC Carpentry website
http://www.hpc-carpentry.org/
MIT License
4 stars 7 forks source link

Remove use of persistent token in CI #49

Closed ocaisa closed 2 years ago

ocaisa commented 2 years ago

Some temporary changes included here to actually test this

ocaisa commented 2 years ago

Confirmed in https://github.com/hpc-carpentry/hpc-carpentry.github.io/runs/3684415263 (and the resulting branch https://github.com/hpc-carpentry/hpc-carpentry.github.io/tree/gh-pages_check) that this works as expected, reverting the changes to check this...

ocaisa commented 2 years ago

When this is merged we should also remove the gh-pages_check branch, and delete the secret that we use.

tkphd commented 2 years ago

To clarify, secrets.GITHUB_TOKEN is generated at build-time, not stored; and removing the stored secrets.JEKYLL_PAT means we have no "state" "secrets" in the repo/settings to leak?

ocaisa commented 2 years ago

@tkphd Yes that's right, the GITHUB_TOKEN token is created with the Github Action and is only valid as long as the Action, see https://docs.github.com/en/actions/security-guides/automatic-token-authentication for the full documentation.

If the existing secrets.JEKYLL_PAT was leaked, that token would have full write permissions to the repo.