Feature request: Use github repository deployment keys to authenticate

[kopptr]

Github provides Oauth2 access tokens on a per-user basis to authenticate against their API, which you use.

If I understand correctly, the token scope granularity is only on a public / private repo basis, not on a per-repo basis. That is to say, a token with the repo scope will give the token permissions on all of the private repositories a user can access, and the public_repo scope does the same for all public repos the user can access.

If a team wants to use this feature, then an individual team member's credentials must be used in the concourse pipeline with this resource. This means that 1) other team members may have access to repos they should not and 2) when that team member rolls off, the credential must be changed.

Github also provides access on a per-repository basis with deployment SSH keys. It would be nice if github-release-resource could use these keys to authenticate, so that teams with multiple members do not need to put an individual team member's credentials in their concourse pipeline.

[xoebus]

Is it possible to authenticate with the API using SSH keys? This would be cool but I don't see anything in their documentation mentioning this.

[ghost]

@xoebus I don't think that's possible. Access tokens and ssh keys have different permissions anyway.

[ghost]

@kopptr I suggest using a "service account" in this case. A single user that's not associated with a human. Credentials to log in as that user and change permissions should be restricted to existing github admins.