0

I'm trying to deal with the following security vs DX issue:

  • I'm working on a project where code is stored on GitHub and I have to sometimes deploy backend on a server
  • I don't want to type GitHub credentials for each pull or other operation
  • since some other team members have access to the root user, I don't want to store creds in a way others can use those to access arbitrary repo of mine (not only those of that project)

Now, as far as I know, I have 2 options to connect to GitHub from server these days:

  1. SSH: create key, add to ssh-agent, add public key to GitHub account, use git remote set-url origin git@github.com:account/repo.git

  2. PAT: create a GitHub token, use at as a password, store it via git config --global credential.helper store or git config --global credential.helper 'cache --timeout=3600' or (as GitHub docs suggests GitHub CLI Git Credential Manager)

The problem is, they all seem to have either drawback:

  • give root user access to all my github repos (they can simply do sudo su - username and access) or
  • require me to type some passphrase each time or
  • a mixture of the 2: caching with timeout allows not to type creds for some time, but in that period they also have unlimited access to other repos

For instance, I either protect my ssh key with passphrase and will have to type it or don't protect it and the access is unlimited. Using PAT a bit more limited access (for instance, I can give PAT (see 8.) only access to repo actions and not various admin action, but still I can't limit it to specific repo or organisation.

Am I missing some option here? I've reviewed more or less all the answers here and here but haven't noticed any solution.

Note: I'm using SSH to do CLI operations on the server.

YakovL
  • 7,557
  • 12
  • 62
  • 102
  • The best way is to do this with CI/CD tools. But, is it possible to mount the server directory in your local machine. Then you can do copy and paste or something like that – Markus Meyer Jan 09 '22 at 12:55
  • 1
    @MarkusMeyer sounds reasonable, thanks for the suggestion. I think I'll look into some tutorial like [this one](https://dev.to/chathula/how-to-set-up-a-ci-cd-pipeline-for-a-node-js-app-with-github-actions-32h0) (current project does not use Kubernetes, so GitOps is not an option) – YakovL Jan 09 '22 at 14:19

1 Answers1

1

The easiest way to deploy code for a specific repository is to use a deploy key. This is an SSH key that's associated with a repository instead of a user, and has access only to the contents of that repository. The access can be either read-only or read-write.

That article also discusses server-to-server tokens, which are like a PAT, but can be restricted to a single repository and are also a possibility in this situation.

bk2204
  • 64,793
  • 6
  • 84
  • 100