GitHub access token with read-only access to private repositories

Question

I have a project with a Node dependency on a private Git repository. I need to be able to run npm install without being prompted to enter a password or allow an SSH connection, so I'm using an access token that I created on GitHub in my package.json:

  "dependencies": {
    "sass-theme": "git+https://[token]:x-oauth-basic@github.com/MyOrg/sass-theme.git#v1.0.2",
    "node-sass": "^4.5.0"
  }

This project is shared with dozens of other people, so obviously I don't want to keep my token in source control. I know I can create a read-only deployment key on GitHub, but I believe that would require other developers to import the SSH key to build the project locally.

Is it possible to create an access token that can be shared but that has read-only access to clone the repository?

Answer 1

The most straightforward way I can think of to create a token that provides read-only access to a private repo is to:

1. Have a user who has read-only access to the given private repo (and ideally, not much else)
2. As that user create a Personal Access Token with the "repo" scope

It would be best if they didn't have access to other orgs/repos, since the "repo" scope grants the user total control over any repos that user has write access to.

I know in an Enterprise solution we would do that with a System ID, but on GitHub you can instead create a Machine User .

Answer 2

Deploy keys are the way to go . By default they don't allow write access and they are scoped to the specific repository (unlike the GitHub personal access token). So you can now generate a private/public key pair, set one as read/pull only deploy key on a single repository in GitHub and use the private key in your CI.

For instance run a bash script:

eval "$(ssh-agent -s)";
ssh-add <your private deploy key>;

Now your CI has rights to access private repo's during the build.

You can add a Deploy key by going to your repository on Github and then clicking Settings > Deploy keys > Add deploy key

Answer 3

If you think it's a bad idea to put your credentials in your source code (as you should!) then you have few options:

1. Keep it hosted in a private GitHub repo but add those dozens of other people as collaborators to this repo (with read only access).

2. Keep it hosted in a private GitHub repo but owned as an organization and add those people to the organization.

3. Publish it as a private npm module.

4. Publish it in a private npm registry.

5. Include the dependency in the source code of the program that needs it.

The last one is basically like including the node_modules in the original code that uses that module so of course it's not pretty. Hosting your own npm registry is not trivial but you can automate adding users that way. Publishing private npm module is not free. Maintaining an organization full of people who should be able to access your repo is annoying.

Keep in mind one thing: if you share your credentials with more than one person, expect everyone to eventually have access to it, it's just a matter of time. The credentials could have a limited scope, it can be a read only deploy key or a machine user with restricted access, but if it is distributed it will leak eventually as it always does, especially when you share it with dozens of people. It's much better to keep a list of people who can access the code, and you can automate keeping that list up to date using the GitHub API.

I would never recommend distributing credentials in the source code of the project, no matter how limited access those credentials provide.

Answer 4

It's ugly that there are no scope for Read-only access to private repo.

What I suggest is to create a new token even with read/write as a Temporary token. Then pull/fetch the changes and delete the Token directly.

Answer 5

Apparently, GitHub has heard you and added a new beta feature called "Fine-Grained Tokens"!

https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

"Create a fine-grained, repository-scoped token suitable for personal API use and for using Git over HTTPS"

Go to setting/developer settings/Personal Access Tokens/Fine grained token