I’m looking at a few different security settings for the LLVM Organization on GitHub, and I was curious if anyone is using personal access tokens to interact with the LLVM Organizations.
Note that if you create a pull request using your own fork and use a personal access token to push your code, you are not accessing the LLVM Organization, just your personal account, so these security settings would not apply to this use case.
The two security options I’m researching are:
Blocking classic tokens from accessing the repository and only allowing the new fine-grained tokens.
Requiring admin approval for accessing the LLVM Organization with fine-grained tokens.
I’m going to try to gather feedback about use cases for the personal access tokens and then decided if it’s worth perusing an RFC to turn one or both of these settings on.
I use access token (classic). Using a token is the only way to authenticate into GH from a command line, AFAIK. I select “repo”, “workflow”, and “packages” scopes for it, which I arrived at by some trial and error.
If we were to use fine grained tokens, what are the required permissions for the usual things, i.e. create/review/merge a PR, create/comment on/close issue, etc?
I think the available permissions are the same with both classic/fine-grained tokens, they just have slightly different names. With fine-grained tokens, you would want:
contents:write
issues:write
pull requests: write
workflows:write
The advantage of the fine-grained tokens, though, is that you can scope them to a specific repo. With the classic tokens, one token with write access can be used for any repository you have access to, but with fine-grained tokens, you can create one that only has access llvm/llvm-project.