Enable auth against GitHub in a more secure way via Yuvi's github-app-user-auth project

[consideRatio]

UPDATE: Done

The application is now installed and verified to function!

Instructions on how to use it

1. Install the GitHub application into specific github repos you wish to be able to push to. Note that if this github application has already been installed for a repo by another person with access to the repo, then you wouldn't need to do it.
2. Use github-app-auth-user in a terminal to acquire credentials Note that both your GitHub user needs permissions on the repo, and the github application needs to be "installed" on a repo, for you to modify its content.
3. Done - you can now do git push!

---

Original issue

The task of this issue as suggested by @fperez is to setup and trial @yuvipanda's new project to enable auth against GitHub in a way that doesn't risk leaking sensitive credentials to GitHub.

Initial thoughts

• Nice! This is extra relevant for example when JupyterLab --collaborative is enabling additional access to servers etc.
• I wonder if we can ensure that credentials are inaccessible/revoked as soon as our jupyter server pod is stopped as well, or a similar enhancement could be relevant.

Related

• https://github.com/berkeley-dsep-infra/datahub/issues/3167#issuecomment-1018825468
• https://github.com/yuvipanda/github-app-user-auth#readme

[fperez]

I believe that the behavior is already as you suggest - the credentials are revoked once the server is stopped.

I'm using it in my stat159 hub and so far very happy, though I've only done some early testing. But it looks like an excellent solution!

[yuvipanda]

yeah, credentials are stored in /tmp/, so when the user container goes away so does the authentication :)

[consideRatio]

Nice @yuvipanda, what you described it was supposed to do - it seems to do really well - nice!!! :tada: :heart:

@fperez it can now be used, I updated this issue's top comment with instructions!

[fperez]

Awesome, thx so much!