From 43dc723813dc5e99baf17e0a3d61d47290f6349f Mon Sep 17 00:00:00 2001 From: Peter Evans Date: Tue, 30 Jun 2020 16:05:44 +0900 Subject: [PATCH] Update documentation --- docs/concepts-guidelines.md | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/concepts-guidelines.md b/docs/concepts-guidelines.md index 358bd24..dc6f64b 100644 --- a/docs/concepts-guidelines.md +++ b/docs/concepts-guidelines.md @@ -15,6 +15,7 @@ This document covers terminology, how the action works, general usage guidelines - [Creating pull requests in a remote repository](#creating-pull-requests-in-a-remote-repository) - [Push using SSH (deploy keys)](#push-using-ssh-deploy-keys) - [Push pull request branches to a fork](#push-pull-request-branches-to-a-fork) + - [Authenticating with GitHub App generated tokens](#authenticating-with-github-app-generated-tokens) - [Running in a container](#running-in-a-container) - [Creating pull requests on tag push](#creating-pull-requests-on-tag-push) @@ -130,6 +131,7 @@ There are a number of workarounds with different pros and cons. - Use a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) created on an account that has write access to the repository that pull requests are being created in. This is the standard workaround and [recommended by GitHub](https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token). However, the PAT cannot be scoped to a specific repository so the token becomes a very sensitive secret. If this is a concern, the PAT can instead be created for a dedicated [machine account](https://help.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements) that has collaborator access to the repository. Also note that because the account that owns the PAT will be the creator of pull requests, that user account will be unable to perform actions such as request changes or approve the pull request. - Use [SSH (deploy keys)](#push-using-ssh-deploy-keys) to push the pull request branch. This is arguably more secure than using a PAT because deploy keys can be set per repository. However, this method will only trigger `on: push` workflows. - Use a [machine account that creates pull requests from its own fork](#push-pull-request-branches-to-a-fork). This is the most secure because the PAT created only grants access to the machine account's fork, not the main repository. This method will trigger `on: pull_request` workflows to run. Workflows triggered `on: push` will not run because the push event is in the fork. +- Use a [GitHub App to generate a token](#authenticating-with-github-app-generated-tokens) that can be used with this action. GitHub App generated tokens are slightly more secure than using a PAT because GitHub App access permissions can be set with finer granularity. This method will trigger both `on: push` and `on: pull_request` workflows. ### Security @@ -224,6 +226,44 @@ It will use their own fork to push code and create the pull request. request-to-parent: true ``` +### Authenticating with GitHub App generated tokens + +A GitHub App can be created for the sole purpose of generating tokens for use with GitHub actions. These tokens can be used in place of `GITHUB_TOKEN` or a [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). + +1. Create a minimal [GitHub App](https://developer.github.com/apps/building-github-apps/creating-a-github-app/), setting the following fields: + + - Set `GitHub App name`. + - Set `Homepage URL` to anything you like, such as your GitHub profile page. + - Uncheck `Active` under `Webhook`. You do not need to enter a `Webhook URL`. + - Under `Repository permissions: Contents` select `Access: Read & write`. + - Under `Repository permissions: Pull requests` select `Access: Read & write`. + +2. Create a Private key from the App settings page and store it securely. + +3. Install the App on any repository where workflows will run requiring tokens. + +4. Set secrets on your repository containing the GitHub App ID, and the private key you created in step 2. e.g. `APP_ID`, `APP_PRIVATE_KEY`. + +5. The following example workflow shows how to use [tibdex/github-app-token](https://github.com/tibdex/github-app-token) to generate a token for use with this action. + +```yaml + steps: + - uses: actions/checkout@v2 + + - uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + # Make changes to pull request here + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v2 + with: + token: ${{ steps.generate-token.outputs.token }} +``` + ### Running in a container This action can be run inside a container by installing the action's dependencies either in the Docker image itself, or during the workflow.