Secure CI/CD with GitHub Apps Short Lived Tokens

4 min readMar 28, 2024

This Blog explains the differences between PAT and GitHub App Short lived tokens which makes the pipelines more secure and it explains step by step guide for creating GitHub Apps and how to use it with GitHub Action pipeline.

What is PAT and when to use
What is GitHub App and when to use
Important points while configuring GitHub App
Simple Use
Sample pipeline

Tokens are nothing but alternate to passwords, it means (on Behalf of the user ). GitHub Offers various security features to restrict the access to the users for a account. in which PAT — Personalized Access token and GitHub APPs are one among those.

What is PAT and When to use?

PAT — Personalized Access Tokens . They are of two types

Fine grained (recommended) : these tokens have specific selections to which a user is granted access. like specific to repo level and expiration dates.
Classic: These tokens are less secure as it grants access to the user who is not part of the organization or repository.

Steps to create PAT 👇

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

Usage Scenario?

You can consider using PAT token for the users to access the packages which you have hosted in the GitHub packages .
You can use PAT token for user login to clone repositories.
If you want to integrate GitHub repository to the Azure DevOps pipeline you can use this token with repo:admin permissions.

What is GitHub App and When to use?

GitHub Apps are created usually at organization level with preset permissions for organization — repository — Account level .

once its created it has to be installed in organization level and we can set the access level to either all repos or only to selected repos.

With GitHub Apps it will be easy for the Senior DevOps Architect to control the access of the tokens in granular manner , resulting in secured deployments.

Usage Scenario?

You generate the Github App — private key and configure it with your organization secrets along with app id . it can be used with CI / CD pipeline to generate short lived token (available only during the runtime of the pipeline only) . In case of triggering dependent pipelines in another repositories or push changes within or to other repositories. one such example I have discussed below.
Can be used to generate tokens for code coverage analyzers like DeepSource etc or with security scanning tools.
GitHub Apps can automate release management workflows by integrating with tools like ReleaseHub or Octopus Deploy.

Steps to create GitHub App 👇

https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps

🚨 Important points while configuring GitHub App 🚨

If you are unsure with HomePage Url / Organization url you can give https://github.com/<github_organization_name>

2. Ensure to uncheck the Active checkbox. Activate if you want to connect to the Third Party tools like JIRA

3. Generate a Private key and download the PEM file in your local .

4. If you are planning to retain the APP_ID and APP_PRIVATE_KEY at organization level then in the permission ensure you have selected secrets with read-only permissions.

5. For repository permissions consider the following permissions:

Actions — read and write
Code scanning alerts — read and write
Contents — read and write
Workflows — read and write
Pull Requests — read and write
Commit status — read and write
Events — read only

Simple Use case:

Sample Pipeline:

name: Checkout Repository Code
on:
    workflow_dispatch:
        inputs:
            organization:
                description: 'github organization name'
                required: true
                type: string
        secrets: # secrets which are declared at the organization level
            APP_ID:
                description: 'Github application ID'
                required: true
            APP_PRIVATE_KEY:
                description: 'Github application Private key'
                required: true

jobs:
    auto-documentation:
        runs-on: ubuntu-latest
        defaults:
            run:
                shell: bash
        
        steps:
            - name: Get Token
              id: get_actions_token
              uses: peter-murray/workflow-application-token-action@v3
              with:
                application_id: ${{secrets.APP_ID}}
                application_private_key: ${{secrets.APP_PRIVATE_KEY}}
                organization: ${{inputs.organization}}

            - name: Action Checkout
              uses: actions/checkout@v4
              with:
                token: ${{steps.get_actions_token.outputs.token}}

Conclusion:

In conclusion, understanding the disparities between Personal Access Tokens (PATs) and GitHub Apps’ Short-lived Tokens is pivotal for enhancing the security of pipelines within GitHub workflows. Throughout this blog, we’ve delved into the intricacies of both authentication mechanisms. By following our comprehensive step-by-step guide on creating and implementing GitHub Apps, alongside integrating them seamlessly with GitHub Action pipelines, you’re equipped with the knowledge to fortify your development processes while ensuring robust security measures. Embracing these insights empowers teams to navigate the evolving landscape of software development with confidence, fostering a culture of efficiency, reliability, and resilience in their projects.

Give it a 👏Clap if you enjoyed this content! 🤝 Don’t forget to hit that follow button for more exciting updates! Your support fuels my creativity! 🚀

References:

https://support.atlassian.com/jira-cloud-administration/docs/manually-create-a-github-app/

https://github.com/peter-murray/workflow-application-token-action

https://github.com/OctopusDeploy/login