Automation and integration authentication options for GitHub Enterprise Cloud.
GitHub Apps
GitHub Apps are the officially recommended way to integrate with GitHub. GitHub Apps are first-class actors within GitHub. A GitHub App acts on its own behalf, taking actions via the API directly using its own identity, which means you don't need to maintain a bot or service account as a separate user.
GitHub Apps can be installed directly on organizations and user accounts and granted access to specific repositories. They come with built-in webhooks and narrow, specific permissions. When you set up your GitHub App, you can select the repositories you want it to access.
Fine Grained Personal Access Tokens
Fine-grained personal access tokens give developers granular control over the permissions and repository access they grant to a PAT. Organization administrators are in control too, with approval policies and full visibility for tokens that access organization resources.
GitHub Action Automatic Token Authentication
GitHub provides a token that you can use to authenticate on behalf of GitHub Actions.
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow.
Service Accounts
From a technical standpoint a GitHub Enterprise service user account is absolutely no different than a normal user account. Like all user accounts, a service user account will take up a license seat. Service Accounts are subject to the same protocols applied to user accounts.
Just like regular users Service Accounts can be provisioned access through:
- Personal Access Tokens (PATs) for HTTPS authentication, provided you've assigned sufficient privileges for the action being taken.
- SSH Keys for SSH authentication.
Access Considerations:
- Service Accounts are not exempt from SAML Single Sign-On. If SAML single sign-on is enforced rather than enabled service accounts will be locked out. Only Outside Collaborators have the ability to bypass SAML.
- Service Accounts are not exempt from Two-Factor Authentication (2FA). Assigning 2FA will be part of the initial Service Account setup.
Deploy Keys
"Deploy Keys" are SSH keys on your servers when automating deployment scripts using SSH agent forwarding, HTTPS with OAuth tokens, deploy keys, or machine users.
OAuth Apps
OAuth2 is a protocol that lets external applications request authorization to private details in a user's GitHub account without accessing their password. This is preferred over Basic Authentication because tokens can be limited to specific types of data and can be revoked by users at any time.
An OAuth App uses GitHub as an identity provider to authenticate as the user who grants access to the app. This means when a user grants an OAuth App access, they grant permissions to all repositories they have access to in their account, and also to any organizations they belong to that haven't blocked third-party access.
Helpful Integrations
- workflow-application-token-action - This is a GitHub Action that can be used to get scoped limited access, expiring credentials for use inside GitHub Actions Workflows.
- GitHub App Token - This JavaScript GitHub Action can be used to impersonate a GitHub App when
secrets.GITHUB_TOKEN's limitations are too restrictive and a personal access token is not suitable. - gh-token - Creates an installation access token that enables a GitHub App to make authenticated API requests for the app's installation on an organization or individual account.