You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/github-app-setup.md
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,15 @@ This section goes into detail on how to use a [GitHub App](https://docs.github.c
4
4
5
5
##Why use a GitHub App?
6
6
7
-
GitHub Apps are more scalable than personal access tokens. They can be installed on multiple repositories and can be used by multiple users. They also have a higher rate limit than personal access tokens. If you are an enterprise user, or organization with a lot of repositories, you*should* use a GitHub App instead of a personal access token.
7
+
GitHub Apps are more scalable than personal access tokens. They also have a higher rate limit than personal access tokens.
8
+
9
+
##Security Considerations
10
+
11
+
Using private keys from one GitHub App across multiple repositories carries inherent risk, especially if the GitHub App has`write` permissions for repository`contents`. This is because each repository where the app is installed can use the private key to perform actions as the GitHub App on any other repository where the app is installed. Another risk is that if one repository has weak security controls and the key is exposed, all repositories that have installed the app are at risk as well. Even if the private keys are different on each repository, all private keys allow the same access and are intended for redundancy rather than segregating access.
12
+
13
+
The exact same risks apply when using a GitHub (classic) PAT with`write` permissions for repository`contents`. The difference is that the PAT is tied to a user account, and the user account is likely to have access to many more repositories than the GitHub App (making it even less secure).
14
+
15
+
The ideal approach would be to use a fine-grained personal access token (tied to a bot/service account). Each PAT would then be scoped to a single repository. This would be more secure, but would also be more cumbersome to manage at scale.
8
16
9
17
##Setting up a GitHub App
10
18
@@ -29,7 +37,7 @@ In this section, you will want to enable the following repository permissions:
29
37
- Metadata:`Read-only`
30
38
- Pull requests:`Read and write`
31
39
32
-
Also ensure that you select`Only on this account` for the installation option
40
+
Also ensure that you select`Only on this account` for the installation option.
33
41
34
42
Now you can go ahead and create your GitHub App!
35
43
@@ -53,7 +61,7 @@ You will now need to generate a private key for your GitHub App. This section wi
53
61
54
62
>Note: When you generate a private key, it will download a`.pem` file. You will need to copy the contents of this file and paste it into your secret.
55
63
56
-
Make note of your`PRIVATE_KEY` as we will use it shortly
64
+
Make note of your`PRIVATE_KEY` as we will use it shortly.
57
65
58
66
###Setting Secrets
59
67
@@ -62,8 +70,6 @@ Now that you have the values of both your `APP_ID` and `PRIVATE_KEY`, you can go
62
70
-`APP_ID`: The ID of your GitHub App
63
71
-`PRIVATE_KEY`: The private key of your GitHub App
64
72
65
-
>Note: You can also set these secrets at the organization level if you wish to run the`combine-prs` Action across multiple repositories.
66
-
67
73
##Setting up the`combine-prs` Action
68
74
69
75
Now that the GitHub App is set up and the secrets are configured, we can go ahead and set up the`combine-prs` Action.*Finally*!