[latchkey]

That 1 year max is a non-starter for me.

I use PATs for things like a reverse proxy from CloudFlare workers to cache hits to a private repo accessed via the GH REST API. If I have to remember to rotate my keys every year, that's going to suck.

What I want for this usecase is a non-expiring PAT that is Organization instead of User based and can be tied to a single repo.

[samcat116]

> What I want for this usecase is a non-expiring PAT that is Organization instead of User based and can be tied to a single repo.

Authenticating as a Github App will give you that capability.

[latchkey]

Which is a whole another set of issues and complexity.

[derkades]

GitHub automatically sends an email a week before expiry.

[latchkey]

Amazing to think that there are a number of bits of critical infrastructure that are dependent on GitHub sending an email a week before it goes offline after running just fine for a year.

[insanitybit]

God I hope people aren't building critical infrastructure off of PATs. Use an app please.

[latchkey]

apps won't work for all usecases.

[rad_gruchalski]

Can’t you automate the rotation?

[latchkey]

Sure, but when does the russian doll end? Who implements the automation? How is it tested in CI? Who watches the automation to make sure it is working? Who fixes it when it is broken once a year. What happens if I get hit by a bus or leave the company?

If Github could just solve the issue with a PAT that solves my usecase, it seems like a far less brittle solution.

[chipsa]

If you have an automation to update it, why would you only run it once a year? why not once a week? then you'd know it's broken within a week.

[TechBro8615]

It doesn't end, that's why the number of developers is increasing indefinitely. The crazy thing is that it seems to work, as society has still yet to fall apart.

...or maybe society is falling apart and it's the fault of programmers. Maybe we're building an unstable web of automated abstractions supported by a decreasing number of specialists operating at the physical layers closer to reality. Maybe one day it will all collapse like the collaterized debt obligation market in 2007 and we'll be back to making websites with PHP and FTP.

[latchkey]

> we'll be back to making websites with PHP and FTP

It stopped?

[withinboredom]

I def missed that memo.

[rad_gruchalski]

> What happens if I get hit by a bus or leave the company?

What happens now if you get hit by a bus and the token you issued is leaked, and someone has to rotate it? I would assume you have that documented, tested, preferably automated?

[kevincox]

What access token does that automation use?

[latchkey]

No. Turns out there is no way to automate it. PATs require sudo mode on GH.

[rad_gruchalski]

Thanks, turns out it's indeed impossible.