Enable GitHub fine-grained personal access tokens #891
Comments
|
Given this blocks the release here nodejs/import-in-the-middle#135 (comment), is there a timeline for this issue? |
|
With +5 on the issue and 5 days since then, I've enrolled the org to the fine-grained access tokens. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To allow creating GitHub fine-grained personal access tokens, an organization-level enrollment must be performed at https://github.com/organizations/nodejs/settings/personal-access-tokens-onboarding.
The classic GitHub personal access tokens are not restricted to a particular set of repositories, while the new GitHub fine-grained token allows being restricted to a particular repository with specific permissions to reduce security scopes. Thus I'd request to enable fine-grained tokens for the organization.
The options for the enrollment include:
By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories.
API and Git access will be allowed using approved organization member's fine-grained personal access tokens
Organization members will not be allowed to access your organization using a fine-grained personal access token
Access requests by organization members can be subject to review by administrator before approval.
All access requests by organization members to this organization must be approved before the token is usable.
Tokens requested for this organization will work immediately, and organization members are not required to provide a justification when creating the token.
By default, personal access tokens (classic) can access content owned by your organization via the GitHub API or Git over HTTPS. This includes both public and private resources such as repositories.
API and Git access will be allowed using an organization member's personal access token (classic)
Organization members will not be allowed to access your organization using a personal access token (classic)
I believe we have tools like @node-core/utils that already use classic personal access tokens, so they must be allowed to access the organization's resources. And given that personal access token creations and accesses do not require approval, my suggestions would be:
Refs: nodejs/import-in-the-middle#123 (comment)
The text was updated successfully, but these errors were encountered: