🔍 Rationalising GitHub Personal Access Tokens for MOJ-Operations-Engineering-Bot

[jasonBirchall]

User Need

As a member of the operations engineering team, I want to organise and secure the GitHub personal access tokens in the moj-operations-engineering-bot account, so that we can reduce risks, improve clarity, and align with best practices in token management.

Value

Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.

Functional Requirements:

• [x] Identify all existing GitHub personal access tokens associated with the moj-operations-engineering-bot account.
• [x] Develop a standardised process for creating and managing GitHub personal access tokens.
• [x] Explore the integration with the Cloud Platform's secrets-manager for secure storage and management of these tokens.
• [x] Assess and limit the scope of each existing token to minimise potential security risks as per agreed standard.
• [x] Create new or rename existing tokens to make their purpose and scope clear and understandable as per agreed standard.

Non-Functional Requirements:

• [x] Ensure the token management process is secure, following industry best practices and GitHub recommendations.
• [x] The process should be well-documented, providing clear token creation, naming, and scope definition guidelines.

Acceptance Criteria:

• [x] All existing tokens in the moj-operations-engineering-bot account are identified, scoped appropriately, and renamed for clarity.
• [x] A documented process is established for future token creation, including naming conventions and scope limitations.
• [ ] The integration with the Cloud Platform's secrets-manager for storing and managing tokens is successfully demonstrated.
• [ ] Stakeholders are informed about the new process and any changes to existing tokens.

Notes:

• Review GitHub's best practices and recommendations for creating bot tokens to ensure alignment with industry standards.
• Engage with team members who frequently use these tokens to understand their needs and ensure the new process accommodates them.

[tamsinforbes]

moj-operations-engineering-bot

[tamsinforbes]

Note on what tokens do what

[tamsinforbes]

These tickets are done for this epic Investigate moj-operations-engineering-bot tokens

Agree PAT Standards for moj-operations-engineering-bot account