This repository is home to the Operations Engineering's tools and utilities for managing, monitoring, and optimising software development processes at the Ministry of Justice. • This repository is defined and managed in Terraform
As a member of the operations engineering team,
I want to organise and secure the GitHub personal access tokens in the moj-operations-engineering-bot account,
so that we can reduce risks, improve clarity, and align with best practices in token management.
Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
Functional Requirements:
Follow industry best practice
Fine-grained Personal Access Token (limit repos) vs Classic (all repo access)
Limit scope to single repository and required permissions only (POLP)
Record organisation/repository the FG-PAT is intended for use in in the FG-PAT description
[x] As is Map of all tokens and where they are being used -> WHAT WE'VE GOT
[x] Interim Map of all tokens and where they will be used -> see Interim Plan which splits the work by repo.
[x] Clarity around which token are agreed to by classic vs fine grained -> if a token requires Enterprise level permissions it must be a classic token, FG-PATs are scoped to one organisation maximum, see ADR-020
User Need
As a member of the operations engineering team, I want to organise and secure the GitHub personal access tokens in the moj-operations-engineering-bot account, so that we can reduce risks, improve clarity, and align with best practices in token management.
Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
Functional Requirements:
Acceptance Criteria:
Notes:
Proposal here