[remram]

Apparently they are a different kind of token (github_pat_ instead of ghp_) in a separate part of the settings. So you can't just set the permissions of your existing tokens.

An expiration date is also required for those new tokens with a max of 1 year.

[latchkey]

That 1 year max is a non-starter for me.

I use PATs for things like a reverse proxy from CloudFlare workers to cache hits to a private repo accessed via the GH REST API. If I have to remember to rotate my keys every year, that's going to suck.

What I want for this usecase is a non-expiring PAT that is Organization instead of User based and can be tied to a single repo.

[samcat116]

> What I want for this usecase is a non-expiring PAT that is Organization instead of User based and can be tied to a single repo.

Authenticating as a Github App will give you that capability.

[latchkey]

Which is a whole another set of issues and complexity.

[derkades]

GitHub automatically sends an email a week before expiry.

[latchkey]

Amazing to think that there are a number of bits of critical infrastructure that are dependent on GitHub sending an email a week before it goes offline after running just fine for a year.

[insanitybit]

God I hope people aren't building critical infrastructure off of PATs. Use an app please.

[latchkey]

apps won't work for all usecases.

[rad_gruchalski]

Can’t you automate the rotation?

[latchkey]

Sure, but when does the russian doll end? Who implements the automation? How is it tested in CI? Who watches the automation to make sure it is working? Who fixes it when it is broken once a year. What happens if I get hit by a bus or leave the company?

If Github could just solve the issue with a PAT that solves my usecase, it seems like a far less brittle solution.

[chipsa]

If you have an automation to update it, why would you only run it once a year? why not once a week? then you'd know it's broken within a week.

[TechBro8615]

It doesn't end, that's why the number of developers is increasing indefinitely. The crazy thing is that it seems to work, as society has still yet to fall apart.

...or maybe society is falling apart and it's the fault of programmers. Maybe we're building an unstable web of automated abstractions supported by a decreasing number of specialists operating at the physical layers closer to reality. Maybe one day it will all collapse like the collaterized debt obligation market in 2007 and we'll be back to making websites with PHP and FTP.

[latchkey]

> we'll be back to making websites with PHP and FTP

It stopped?

[withinboredom]

I def missed that memo.

[rad_gruchalski]

> What happens if I get hit by a bus or leave the company?

What happens now if you get hit by a bus and the token you issued is leaked, and someone has to rotate it? I would assume you have that documented, tested, preferably automated?

[kevincox]

What access token does that automation use?

[latchkey]

No. Turns out there is no way to automate it. PATs require sudo mode on GH.

[rad_gruchalski]

Thanks, turns out it's indeed impossible.

[masklinn]

> An expiration date is also required for those new tokens with a max of 1 year.

Gah, so close, yet so far.

But I guess that makes sense for personal tokens and I really need to finally look at applications, I assume they have fine-grained ACLs in the first place?

Edit:

> The permissions available to fine-grained personal access tokens are the same permissions available to GitHub Apps, and repository targeting works the same too.

[insanitybit]

Yes, if what you have is "I need persistent, scoped access" you want an app. The fact that so many people on HN are saying "ah darn it expires" is truly frightening and I hope Github publishes a deprecation plan for PAT classic.

[masklinn]

> The fact that so many people on HN are saying "ah darn it expires" is truly frightening

It’s also completely unsurprising: it’s very easy to grow a small PAT-based tool into a large PAT-based system, Apps is a significant overhead for a small too, and the migration path is not simple.

And things get a lot worse when trying to create automation for your company, as your now need to involve the organisation owners / admins in order for them to set up and configure the GHA via a fun game of Simon Says.

[insanitybit]

Hopefully they deprecate PAT-classic so that people stop doing things the easy way with god-credentials.

[jtokoph]

Shouldn't things that expire like access tokens and certificates actually last slightly longer than these fixed calendar lengths to make renewal or rotation possible on the same day/week every year?

For example, if I generate this token on Jan 1, 2023 and it lasts 1 year, I'll now need to generate the new one around December 21st, 2023 to make sure I have some lead time to deal with issues and not wait until the last second. Now, when I rotate the second time, I need to do it around December 14th, 2024...