Suggestion: Consider Using OAuth for Authentication

[rk9595]

Great Project!

I noticed that the project uses Personal Access Tokens (PAT) for authentication. While I understand this approach, I'm curious about the decision not to use OAuth for authentication purposes. From my perspective, OAuth could potentially offer enhanced security and a smoother user experience, especially when handling authentication on behalf of the users.

Could you share the considerations that led to choosing PAT over OAuth? Are there specific challenges or limitations with OAuth that influenced this decision?

Thanks!

[teoxoy]

The token is passed directly to github's GraphQL API. How could OAuth be used in this case?

[rk9595]

Implementing OAuth authentication would allow users to authenticate with GitHub directly, without the need for them to manually create a Personal Access Token (PAT) for the input to the action.

[teoxoy]

Given that this is a Github Action how would the flow look like?

[rk9595]

It could be something like this

1. OAuth Application Registration: Associate the GitHub Action with a registered OAuth application on GitHub to obtain client_id and client_secret.
2. User Consent and Authorization: Direct users to a GitHub URL to authorize the OAuth app, capturing an authorization code.
3. Token Generation: Exchange the authorization code for an access token, during a pre-action setup step, with the token then securely stored.
4. Secure Token Storage and Use: Store the access token in GitHub Secrets and retrieve it within the GitHub Action as needed.
5. Token Refresh: Implement logic within the action to automatically refresh the access token before it expires.

It does add complexity though, PAT approach is definitely simpler.