Replacing PAT with GitHub App

In a few weeks the GitHub account that stores my extension will be upgraded to an Enterprise account, and I’ve been instructed to start looking into how to accommodate this.

This extension is used by 200+ people at my company, but the credentials are from a PAT from one of the devs account since none of our users have GitHub access.

The move to an Enterprise account means the current PAT will no longer work and IT wants to use some alternative method. They suggested either using GITHUB_TOKEN env variable or a GitHub App

Is an installation token from a GitHub App a direct replacement for a PAT?

I’m not sure what exactly I need to do and no way to test anything until they flip the switch and break it.

I think I may need to write a script that requests a new token from the GitHub App using API and pass that into the pyrevit extend UI command, but the documentation all mentions setting up private keys that should never be shared that allow you to interact with the GitHub App.

How can I authenticate 200+ users with no GitHub account? Since the access will be scoped to only this single repository, I need to figure out how to treat it like a public repository.

1 Like

Simple answer? You can’t.
Private repos are meant to be accessed via authentication, and each user have to have an account. Period.

Simple solution? Make the repository public :wink:
Nowadays, many software houses don’t make money from the code, but from the services related to that code. And it is even truer for an AEC company!

Do you have VPN? You could spin up a local git server (such as forgejo) and set up a public repo that mirrors the github one, so that only users inside the vpn can access it without the need to authenticate.
You could also use git clone --mirror and git daemon if you want to keep things barebone, but then you’ll have to keep things in sync (if could be just a cron job that fetches from the main repo every 5 minutes).

1 Like

There is no equivalent to sharing a single personal access token except using a GitHub app?

What if we created 200 GitHub accounts and give access using a GitHub app. Will passing a app installation token instead of a personal access token work?

I suppose you should ask github support for this.

Which may respond that PAT = PERSONAL Acces Token, and shouldn’t be shared in the first place.

You’re starting from the assumption that your workaround is legit, where in fact it is a major security flaw.

I’ve instructed my colleagues (less than 200, to be honest) to create a account to access our private repos. They just need to follow the invitation link that is sent to their email when I add them to the reop/group.

I thought that using the same PAT is the recommended approach? Or are you just acknowledging that while recommended, is still a security vulnerability?

This is far for secure. what is?..
But good enough in most cases as the extension code I share does not require to be that private.

Best approach, a git server containing your code on your companies network, and do not allow external access except through VPN or local access.

Other possibility, a master machine cloning the extension folder locally from a GitHub repo (therefore, only one entry point)

@sanzoghenzo approach to get user to be invited to this repo is also better

So I’ve found a solution.

  1. I cloned repository from Github onto a shared network drive accessible over VPN or corporate network, and will pull changes from Github when I’m ready to issue a new release. So this is the single entry point as suggested.

  2. Created a bare repository and made my clone from step 1 the remote origin. These are right next to each other on the network drive.
    git init --bare --shared
    git remote add origin [clone_path]

  3. Now I can use my_extension.git as the source for installation and updates without needing Github credentials.
    pyrevit extend ui [ext_name] "file:///\\server\path\to\my_extension.git" --dest="C:\pyRevit-Master\extensions" --branch=[branch] --debug

I’m assuming there is a speed advantage associated with using a Git daemon instead of accessing over file system protocol?

VPN cuts throughput from ~900 down to around ~200 down if that when working remote, but at least we aren’t dealing with large amount of data if its just updating and not installing.

Hi @jpitts, I’m glad you solved this.

Since you will pull changes manually, why not just use git clone --mirror [github repo] and then git remote update when the new release is ready? This way you just need one folder in the network drive and one less step at each release.

I’m not a git guru (in fact, I didn’t even know that you could clone a local or network path, that’s why I suggested the daemon) but a bit of googling made me think this could be a good solution

Well it appears I was not understanding how bare clones work but thank you for for pointing me in the right direction.

It looks like a single mirrored clone is all that I need which will simplify things. I will probably put one mirror on the network drive and it will use file system protocol, but once I can get a Linux box set up with a SSD local drive then I will add another mirror there and use git-daemon

1 Like