Use GitHub App token instead of $GITHUB_ACCESS_TOKEN in the server

paritytech / pr-custom-review

GitHub Action for complex pull request approval cases that are not currently supported by the Branch protection feature in GitHub.

MIT License

8 stars 4 forks source link

Closed joao-paulo-parity closed 11 months ago

joao-paulo-parity commented 2 years ago

Generate the access token with the GitHub App instead of requiring $GITHUB_ACCESS_TOKEN in the server.

GitHub App tokens have some advantages over $GITHUB_ACCESS_TOKEN

Since they're generated on-demand, they don't need to be rotated
They automatically expire after 1h, thus making them less exploitable in the case of leaks
They can have fine-grained permissions
It's one less secret to monitor and care about, thus simplifying the deployment procedure

mordamax commented 11 months ago

Using GHA secret instead