Enable GitHub fine-grained personal access tokensΒ #891
Description
To allow creating GitHub fine-grained personal access tokens, an organization-level enrollment must be performed at https://github.com/organizations/nodejs/settings/personal-access-tokens-onboarding.
The classic GitHub personal access tokens are not restricted to a particular set of repositories, while the new GitHub fine-grained token allows being restricted to a particular repository with specific permissions to reduce security scopes. Thus I'd request to enable fine-grained tokens for the organization.
The options for the enrollment include:
- Restrict access via fine-grained personal access tokens
By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories.
- Allow access via fine-grained personal access tokens
API and Git access will be allowed using approved organization member's fine-grained personal access tokens - Restrict access via fine-grained personal access tokens
Organization members will not be allowed to access your organization using a fine-grained personal access token
- Require approval of fine-grained personal access tokens
Access requests by organization members can be subject to review by administrator before approval.
- Require administrator approval
All access requests by organization members to this organization must be approved before the token is usable. - Do not require administrator approval
Tokens requested for this organization will work immediately, and organization members are not required to provide a justification when creating the token.
- Restrict access via personal access tokens (classic)
By default, personal access tokens (classic) can access content owned by your organization via the GitHub API or Git over HTTPS. This includes both public and private resources such as repositories.
- Allow access via personal access tokens (classic)
API and Git access will be allowed using an organization member's personal access token (classic) - Restrict access via personal access tokens (classic)
Organization members will not be allowed to access your organization using a personal access token (classic)
I believe we have tools like @node-core/utils that already use classic personal access tokens, so they must be allowed to access the organization's resources. And given that personal access token creations and accesses do not require approval, my suggestions would be:
- allow fine-grained tokens, 2) do not require approval, 3) allow access via classic personal access tokens.