Automatically Rotating GitHub Tokens (So You Don’t Have To)

We encountered a problem that lives in the gap between two tried-and-true GitHub authentication methods: personal access tokens and built-in authentication. Our solution? Build a system to automatically rotate GitHub access tokens. Here’s how we did it and how you can do it too.

Evan Lee
13 min readadvanced
--
View Original

Overview

The article discusses the challenges associated with using GitHub personal access tokens (PATs) and presents a solution developed by Shopify to automatically rotate these tokens. It outlines the problems with long-lived tokens, the principles guiding the solution, and the implementation process using GitHub Actions.

What You'll Learn

1

How to implement a system for automatically rotating GitHub tokens

2

Why using GitHub Apps can enhance security and reduce developer churn

3

When to use personal access tokens versus built-in authentication methods

Prerequisites & Requirements

  • Understanding of GitHub Actions and personal access tokens
  • Familiarity with GitHub Apps(optional)

Key Questions Answered

What are the limitations of GitHub's built-in authentication methods?
GitHub's built-in authentication methods, such as the GITHUB_TOKEN, cannot access external resources or trigger downstream workflows. This limitation can hinder automated workflows that require broader access, leading to the need for personal access tokens (PATs) which have their own vulnerabilities.
How does Shopify's token rotation system work?
Shopify's token rotation system uses GitHub Actions to automate the generation and rotation of tokens. It leverages GitHub Apps to create secrets, ensuring that tokens are short-lived and can be rotated without manual intervention, thus improving security and reducing developer friction.
What are the common pitfalls when implementing GitHub Actions for token rotation?
Common pitfalls include underestimating costs associated with GitHub Actions, particularly due to the billing structure based on job execution time. Additionally, reliance on the schedule trigger can lead to unreliable execution, necessitating a shift to more explicit scheduling methods.

Key Statistics & Figures

Token expiration
1 hour
Installation tokens for GitHub Apps expire after one hour, necessitating frequent rotations.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implement a GitHub App for token management to enhance security and reduce reliance on individual developer accounts.
Using a GitHub App allows for better control over permissions and reduces the impact of developer churn, as tokens are not tied to individual users.
2
Regularly review and adjust the permissions of your GitHub App to ensure it meets the evolving needs of your workflows.
Permissions can be adjusted at any time by an organization admin, which helps maintain security while accommodating new use cases.
3
Consider the cost implications of using GitHub Actions, especially regarding billable minutes and job execution.
Understanding the billing structure can help avoid unexpected costs and encourage more efficient workflow designs.

Common Pitfalls

1
Misunderstanding the billing structure of GitHub Actions can lead to unexpected costs.
Costs are calculated based on job execution time at a minute-level granularity, which can accumulate quickly if workflows are not optimized.
2
Reliance on the schedule trigger for workflows can result in unreliable execution.
The schedule trigger is best-effort and can be affected by the load on GitHub Actions, leading to delays in workflow execution.

Related Concepts

Github Actions
Github Apps
Personal Access Tokens
CI/CD Best Practices