Use GitHub deploy keys rather than personal access tokens
Closed this issue · 7 comments
Currently, it looks like $git_publish_key is a GitHub personal access token. This gives the CI service full access to a user's account. For improved security, it would be ideal to limit the CI service's write access to the specific repository being continuously analyzed.
Deploy keys offer this functionality:
A deploy key is an SSH key that is stored on your server and grants access to a single GitHub repository. This key is attached directly to the repository instead of to a personal user account.
As an example, see dhimmel/thinklytics@39e2ae0, where I switched from a personal access token to a deploy key.
As @gwaygenomics and I just saw, it also seems to be easy for $git_publish_key to leak into the CI log.
This means you would have to redact logs before sharing.
Agree. It should be noted that github does deactivate any keys accidentally pushed to a repository but any other way of distributing could result in the key leaking into the log.
I think Drone 0.5 offers the best solution, pushing back to github is a supported workflow. You can also mount local drives. I am working on updating the docs for this but a nice example can be seen at - https://github.com/COMBINE-lab/continuous_analysis_rnaseq
Are you going to update .travis.yml to use deploy keys? I'd be happy to submit a PR.
@dhimmel --- The variant of the pipeline I built uses Drone's git_push plugin to push the results. Drone has a notion of "secrets". There is a secret "store" that is managed by the drone command line interface. You simply add the GIT_PUSH_SSH_KEY to the store and then sign your .drone.yml file to propagate the key. You can see an example here.
Closed because I think Rob answered the question, and it’s now almost 5 months old so just cleaning. If you want to make a pull request to demonstrate that’d be great but I was afraid it’d be too complicated for the average user (and github does a good job of reducing risk by inactivating any leaky keys)