| ▲ | madeofpalk 5 days ago | |||||||
gh cli is such a ticking time bomb. Anything can just run `gh auth token` and get a token that probably can read + write to all your work code. | ||||||||
| ▲ | awirth 5 days ago | parent [-] | |||||||
These tokens never expire, and there is no way for organization administrators to get them to expire (or revoke them, only the user can do that), and they are also excluded from some audit logs. This applies not just to gh cli, but also several other first party apps. See this page for more details: https://docs.github.com/en/apps/using-github-apps/privileged... After discussing our concerns about these tokens with our account team, we concluded the only reasonable way to enforce session lengths we're comfortable with on GitHub cloud is to require an IP allowlist with access through a VPN we control that requires SSO. https://github.com/cli/cli/issues/5924 is a related open feature request | ||||||||
| ||||||||