Support using deploy keys about github-action-push-to-another-repository HOT 9 CLOSED

Thanks @vincerubinetti - I've just added a warning in the README. I hope that I can implement it leaving the majority of the logic which would be ideal. I will also refer in the README to the other action for people concerned :-)

from github-action-push-to-another-repository.

And main branch has ssh deploy key support. I will wait a few days before tagging a new release to catch possible problems :-|

from github-action-push-to-another-repository.

Thanks @vincerubinetti and also to @nikita-volkov for reminding me of the original message. I'm looking at https://github.com/leigholiver/commit-with-deploy-key I will try implementing it using deploy keys. I accept pull requests for this if you had time before me (even without the unit tests; I've been postponing other changes for months because I don't have unit tests for the action yet).

I will also add a warning with the possible workaround.

from github-action-push-to-another-repository.

I will say that I ended up using that leigholiver/commit-with-deploy-key package, and it ended up working fabulously.

I only bring up this issue here because, again, this package seems to be the "defacto". That is, it comes up first on google, whereas the other package was hard to find.

It's possible you don't have to reinvent the wheel if the other package already fills that need. If you think that's the case, I agree it'd be great to put a big bold warning at the top of your readme, referring people to the other package if they want tighter security/scope.

from github-action-push-to-another-repository.

Closing issue (was included in the release v1.5)

from github-action-push-to-another-repository.

I absolutely agree. Using personal access tokens is a major vulnerability. It virtually makes this action unusable in a team setting, because anyone with write access to the repo where PAT is stored as a secret will be able to acquire or even mess with all your private repos via Github Actions. That is why it should not be recommended in the README and there should be a big red warning instead.

Thanks for the link. I was curious whether something like that is possible!

As an alternative (hacky) solution you can create a separate GitHub account and use it solely to generate a PAT, then you can control its access at each repository. E.g., in case of an org it can be thought of as a cross-org deployer bot and it can even have a dedicated email and be the author of the commits that you produce with this action.

from github-action-push-to-another-repository.

Actually it's an even larger security threat, which people with write-access to this action can exploit.

from github-action-push-to-another-repository.

New branch available: https://github.com/cpina/github-action-push-to-another-repository/tree/ssh-deploy-key that allows to use the personal access token (for backward compatbility) AND ssh keys.

I will do some more testing hopefully tomorrow, write documentation and merge to "main" (and release next week probably).

from github-action-push-to-another-repository.

Very responsible maintenance! Thank you!

from github-action-push-to-another-repository.