Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Switch from PAT to federated secret for pulling ghcr images #1478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2025
Merged

Switch from PAT to federated secret for pulling ghcr images #1478

merged 1 commit into from
May 16, 2025

Conversation

jeffwidman
Copy link
Member

Previously we were using a user-based PAT, but those expire every 90 days.

By switching to the federated token, it gets rotated/audited by the security team, and not something we have to maintain.

This is a public repo, so I can't link here to internal stuff, but this is blocked on an internal PR to setup the federation link.

@jeffwidman
Switch from PAT to federated secret for pulling ghcr images
cafbc38 
Previously we were using a user-based PAT, but those expire every 90
days.

By switching to the federated token, it gets rotated/audited by the
security team, and not something we have to maintain.
@Copilot Copilot AI review requested due to automatic review settings May 16, 2025 23:40
@jeffwidman jeffwidman requested a review from a team as a code owner May 16, 2025 23:40
jeffwidman
jeffwidman commented May 16, 2025
View reviewed changes
.github/dependabot.yml
type: docker-registry
url: ghcr.io
username: x
password: ${{ secrets.BASE_CONTAINER_IMAGE_READER_DEPENDABOT }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved this to the top because that's where we typically have been putting the registries key on all our files for easier skimmability...

Copilot
Copilot AI reviewed May 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Switch dependabot from a user PAT to a federated secret for GHCR image pulls, removing manual rotation and using the security-managed token.

  • Introduce a top-level registries block pointing at GHCR with the new federated secret
  • Remove the old inline registries section that used the PAT (DEPENDABOT_GHPR_TOKEN)
  • Update the secret reference to BASE_CONTAINER_IMAGE_READER_DEPENDABOT

@jeffwidman jeffwidman merged commit f403256 into main May 16, 2025
9 checks passed
@jeffwidman jeffwidman deleted the pull-ghcr-containers-using-federated-secret branch May 16, 2025 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@kbukum1 kbukum1 kbukum1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeffwidman @kbukum1