Support for fine grained Personal Access Tokens (PAT v2) #469
Comments
|
Hi @rahim and sorry for my very late response. I’m slowly starting to catch up with the backlog of Trailer issues recently. You make a good point, but I wanted to ask, especially since clearly you’ve given this a lot of thought, if it just makes more sense to simply migrate the app to use an OAuth verification flow, so that users can login using their credentials to each server, and Trailer can handle requesting the appropriate permissions. Would this cover your use case as well, or is there something intrinsic in these access tokens that would justify specifically supporting them? |
|
Hi @ptsochantaris, I'd forgotten I'd submitted this.
If the OAuth route also provides access to all the required APIs it's probably a better choice, I think I started from a place that the app was using a PAT and so would continue to. In my particular case it's unclear what the difference in approval and admin would look like - I'm not sure what controls organization adminstistrators have to restrict OAuth apps behind approval. I'm assuming (perhaps incorrectly) that an end user can create a PAT for anything they have permission to do themselves. |
See https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/
At the time of writing Github are still working on GraphQL support for the newer fine grained access tokens which is likely to be a significant obstacle until resolved. Even github-cli support is blocked by this.
I'm working within an organisation that's already moving to retire use of classic tokens.
Fine grained tokens (with appropriate guidance for end users as to what permissions are needed) seems like a good fit for Trailer. My understanding is its behaviour is entirely read-only, so tokens could be much more narrowly scoped than today.
The text was updated successfully, but these errors were encountered: