For more information, see " Managing encrypted secrets for your codespaces."įor more information about best practices, see " Keeping your API credentials secure." Creating a fine-grained personal access token For more information, see " Encrypted secrets." You can also store your token as a Codespaces secret and run your script in Codespaces. When using a personal access token in a script, you can store your token as a secret and run your script through GitHub Actions. If these options are not possible, and you must create a personal access token, consider using another service such as the 1Password CLI to store your token securely, or 1Password's GitHub shell plugin to securely authenticate to GitHub CLI.
For more information, see " Automatic token authentication." When using a personal access token in a GitHub Actions workflow, consider whether you can use the built-in GITHUB_TOKEN instead.To access GitHub from the command line, you can use GitHub CLI or Git Credential Manager instead of creating a personal access token.Before creating a new personal access token, consider if there is a more secure method of authentication available to you: Personal access tokens are like passwords, and they share the same inherent security risks. Keeping your personal access tokens secure To provide additional security, we highly recommend adding an expiration to your personal access tokens. If you choose to use a personal access token (classic), keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.Īs a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year. For a list of REST API operations that are supported for fine-grained personal access tokens, see " Endpoints available for fine-grained personal access tokens". Some REST API operations are not available to fine-grained personal access tokens.Outside collaborators can only use personal access tokens (classic) to access organization repositories that they are a collaborator on.Only personal access tokens (classic) have write access for public repositories that are not owned by you or an organization that you are not a member of.However, some features currently will only work with personal access tokens (classic): Personal access tokens (classic) are less secure. Organization owners can require approval for any fine-grained personal access tokens that can access resources in the organization.Each token must have an expiration date.Each token is granted specific permissions, which offer more control than the scopes granted to personal access tokens (classic).Each token can only access specific repositories.Each token can only access resources owned by a single user or organization.For more information, see " Setting a personal access token policy for your organization." Fine-grained personal access tokensįine-grained personal access tokens have several security advantages over personal access tokens (classic):
Organization owners can set a policy to restrict the access of personal access tokens (classic) to their organization. GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible. GitHub currently supports two types of personal access tokens: fine-grained personal access tokens and personal access tokens (classic). For more information, see " About creating GitHub Apps." Types of personal access tokens To access resources on behalf of an organization, or for long-lived integrations, you should use a GitHub App. Personal access tokens are intended to access GitHub resources on behalf of yourself. Personal access tokens are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line. For more information, see " Keeping your personal access tokens secure." About personal access tokens Warning: Treat your access tokens like passwords.
0 kommentar(er)
