| ▲ | thaeli 3 days ago | |
Are there any additional mitigations folks are using for this? This issue is the only reason we can’t turn classic PATs off entirely. Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need. | ||
| ▲ | lloeki 3 days ago | parent [-] | |
Maybe: - create a GitHub App or something that can generate transient tokens - implement some CLI that generates a token - login with that token - push See e.g: https://medium.com/@tiwari09abhi/github-app-token-authorizat... https://martin.baillie.id/wrote/ephemeral-github-tokens-via-... But I'm not even sure because GH auth system is all over the place and downright nuts in some places... e.g a fine grained token with repo access can't curl a tarball with the usual URL, it has to use the /api which makes tooling that constructs URLs from repo names and versions break with no recourse as soon as you disable classic PATs | ||