GitHub/Repository Security/Robot Accounts for Automation
Our recommendation to mandate 2FA for all GitHub organizations means that a Personal Access Token (PAT) is required for most automation.
It is very easy to generate a PAT, and just as easy to forget about it. If a developer generated a PAT from their personal account, surprises can arise if that user later deletes the PAT.
To avoid this issue, a PAT should be generated by a service account (GitHub refers to them as “robot accounts”). The service account credentials will need to be shared, but share them with as few folks as possible. Additional recommendations include:
- do not save the PAT value anywhere outside the automation's secret storage system. It is easier to regenerate the token than manage another secret.
- use very explicit names for the PAT, to assist you in knowing all the places to update the token when the value is rotated.
If you suspect you may have such tokens already in use, you can audit your tokens with the help of a simple script. Just create a one-off task for your automation which uses the token. The output will include the GitHub login of the PAT as well as the capabilities granted via that PAT.