Confirmed users
1,351
edits
GitHub/Repository Security/Problems and Options: Difference between revisions
Jump to navigation
Jump to search
GitHub/Repository Security/Problems and Options (view source)
Revision as of 02:46, 22 January 2021
, 22 January 2021add 2fa info & links
(bot merge issue) |
(add 2fa info & links) |
||
| Line 6: | Line 6: | ||
= Repository Guidelines = | = Repository Guidelines = | ||
== The hosting organization should have 2FA set as a requirement. == | |||
=== Problem: That will kick a number of members & contributors from our org. === | |||
Yes, that is true. These days, very few people should be unable to establish a workable 2FA, so the question is how to perform the switch in the least disruptive manner. See [[GitHub/Converting to a "2FA required policy"]] for suggestions on that. | |||
=== Problem: That breaks some of our automation, as the app can no longer log in with just a username and password. === | |||
GitHub lets you generate Personal Access Tokens (aka PAT, aka API token). See the [https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token GitHub PAT] documentation for creating and using them. | |||
Automation for sensitive apps should not rely on tokens generated from a personal account. See [[GitHub/Repository Security/Robot Accounts for Automation|further notes]] for alternative suggestions. | |||
== Committing (or merging) to a production branch should be limited to the smallest reasonable set of people. == | == Committing (or merging) to a production branch should be limited to the smallest reasonable set of people. == | ||
=== Problem: There is currently no way to grant a GitHub app permission to push to "limited commiters" branch. === | === Problem: There is currently no way to grant a GitHub app permission to push to "limited commiters" branch. === | ||