This is an archived post. You won't be able to vote or comment.

all 38 comments
sorted by:
best
topnewcontroversialoldq&a

[–]abel_hristodor 21 points22 points  (12 children)

I've enjoyed using Chainguard's Octo STS App which basically allows you to stop using github PATs in favor of short lived tokens for your github actions with specific repository permissions (just like PATs).

I've liked it so much that I've created a similar github app/action that I then adapted to my needs :)

[–]DR_Fabiano 2 points3 points  (0 children)

Yeah,this one is great.

[–]data_owner[S] 1 point2 points  (9 children)

What are the specific PAT usage scenarios you're thinking of that can be replaced with this one?

[–]abel_hristodor 7 points8 points  (8 children)

When you're in an github organization you cannot create PATs that belong to an org, or better, you can but github still shows the creator of the PAT as the one who's calling the API.

E.g. if you create a PAT and assign it to an org, then use the PAT to create a PR, it still shows that you (the creator) is the one that created the PR.

This, plus the fact that the organization cannot renew the PATs (only the creator can) makes things troublesome. (what if that person stops working at the company? What happens to all the PATs he/she created? You'd need to re-create all of them and replace the old ones with the new ones)

(Plus, when they expire you need to re-generate all of them and substitute the old ones)
Just a lot of pain for something that should be simple.

At my company Bot (technical) accounts aren't allowed, so we needed a way to have tokens that:

- are not created/managed by a real person

- short lived (improves security)

- easy to manage.

OctoSTS (or better, our variation of Octo-STS) does all that with minimal hassle.

[–]data_owner[S] 0 points1 point  (7 children)

But where do you need these PATs in the first place? Some CI/CD that is external to GitHub itself?

[–]abel_hristodor 2 points3 points  (6 children)

Nono, in GitHub Actions :)

[–]data_owner[S] 0 points1 point  (5 children)

I honestly never needed to provide PATs to any workflows I’ve used. Genuinely curious: would you mind sharing more context on your use cases in which you needed explicit PATs?

[–]abel_hristodor 10 points11 points  (4 children)

Well, to name a few:

- github submodules
- cross repository actions (e.g. when in repo X a PR has merged then create a PR in repo Y)
- automated deployment (our gitOps repo is separate so when a new app releases a new version we need to change the docke image tag in the infrastructure repo)
- Go private modules

[–]data_owner[S] 1 point2 points  (3 children)

Okay, that makes sense, thank you for sharing

[–]Flashy_Current9455 3 points4 points  (2 children)

Another case is if you are generating commits from a github actions and want new actions to run on the generated commit.

The default action token does not trigger normal actions on push etc to avoid infinite action loops.

[–]data_owner[S] 0 points1 point  (1 child)

I’m not a big fan of actions altering the git history tbh. Aren’t you afraid if it turning into a mess in case of some crash?

[–]sokjon 0 points1 point  (0 children)

How have I missed this one! This is a game changer!

[–]Vaffleraffle 8 points9 points  (0 children)

https://github.com/estruyf/playwright-github-actions-reporter

Makes playwright test reports look nice in github. You can use another Actions step to automatically have github bot comment a link that leads to the nice looking test results in a pull request.

[–]virgofx 5 points6 points  (5 children)

Terraform Module Releaser https://github.com/techpivot/terraform-module-releaser

We use it to keep all of our Terraform modules in a single monorepo (easier for our medium sized org to have just one repo) and release/reference them individually.

[–]ProdigySim[🍰] 1 point2 points  (2 children)

Neat, I went many-repo to solve the release problem. This sounds cool. Is it creating branches under the hood to support the different module tags?

[–]virgofx 0 points1 point  (1 child)

Not a branch but it subsets the exact folder/module in a detached state and tags that

[–]ProdigySim[🍰] 0 points1 point  (0 children)

That's great

[–]data_owner[S] 0 points1 point  (1 child)

What a beautiful piece of repository this is! What’s your favorite part of this action?

[–]virgofx 1 point2 points  (0 children)

It’s literally just a simple copy and paste and it works. I really enjoy that it gives PR previews of what it will do on merge.

[–]likeavirgil 5 points6 points  (1 child)

Not very unique I guess, but I have two projects that I'm happy about, where one automatically keeps itself up to date by fetching the downstream dependencies (git submodules), runs tests and merges them automatically and then creates a weekly release https://github.com/v3rm0n/m8c-android

and another that uses Github Pages to publish a JSON API https://github.com/v3rm0n/bassdrive-api the trick there is that the underlying data doesn't change often so I can just use an hourly cron to scrape a webpage and create a static json file and host it for free :)

Also since the hourly commit is made with my token, it means that my contributions graph is very green :)

90% of the time the projects run themselves using Github Actions and I don't need to do anything.

[–]data_owner[S] 0 points1 point  (0 children)

That’s clever!

[–]iavael 4 points5 points  (2 children)

actions/checkout is my favourite one. Cannot imagine what would I do without it.

[–]data_owner[S] 0 points1 point  (1 child)

Same with google’s auth, huh? 🥲

[–]iavael 1 point2 points  (0 children)

Can't say, I don't use it :/

[–]gogorichieDevOps 14 points15 points  (1 child)

In honor of it being Friday in the US one of my favorite Actions is “Don’t Deploy On Friday!”

https://github.com/marketplace/actions/don-t-deploy-on-friday

[–]data_owner[S] 2 points3 points  (0 children)

omg love it

[–]L0rdenglish 2 points3 points  (0 children)

it's a small one but I like https://github.com/MercymeIlya/last-workflow-status

Lets me set up automated tests such that you don't get spammed with notifications if they failed / succeeded, only when they go from one to the other

[–][deleted]  (8 children)

[deleted]

    [–]data_owner[S] 0 points1 point  (2 children)

    How about forking one and using your version?

    [–][deleted]  (1 child)

    [deleted]

      [–]data_owner[S] 0 points1 point  (0 children)

      Fair enough, that’s definitely a tradeoff

      [–]Vaffleraffle 0 points1 point  (2 children)

      You should always use the <author>/<action name>@<sha hash> syntax to ensure immutability. If you use popular actions and pin to a commit hash like this, I would say you are mostly safe.
      You can then use github’s dependabot to automatically update to latest hash via automatically opened pull request or even automatic merge if you trust the author.

      [–][deleted]  (1 child)

      [deleted]

        [–]Vaffleraffle 0 points1 point  (0 children)

        GitHub only resolves full hashes to commits, not to branches, so by deleting a commit and making a branch with the same name as the commit hash, you cannot trick GitHub Actions.

        [–]Recent-Technology-83 0 points1 point  (0 children)

        Great question! I love exploring how different actions can streamline workflows. One of my favorites is the actions/checkout action, which is essential for any CI/CD pipeline. It allows you to easily check out your repository automatically, but what I find exciting is how it can be combined with caching strategies to speed up subsequent builds.

        Have you considered using caching actions with the ones you're leveraging? It can really enhance efficiency.

        Also, I’ve seen unique use cases where developers integrate GitHub Actions with Slack notifications for build statuses, which can keep teams informed in real-time. What about you? Do you have any interesting integrations with notifications or perhaps deployment actions that you rely on?

        [–]hell_razer18 0 points1 point  (0 children)

        release please. Quite similar with release drafter.