top | item 45047449

(no title)

awirth | 6 months ago

These tokens never expire, and there is no way for organization administrators to get them to expire (or revoke them, only the user can do that), and they are also excluded from some audit logs. This applies not just to gh cli, but also several other first party apps.

See this page for more details: https://docs.github.com/en/apps/using-github-apps/privileged...

After discussing our concerns about these tokens with our account team, we concluded the only reasonable way to enforce session lengths we're comfortable with on GitHub cloud is to require an IP allowlist with access through a VPN we control that requires SSO.

https://github.com/cli/cli/issues/5924 is a related open feature request

discuss

0xbadcafebee|6 months ago

That is crazy. See, this is what I'm talking about. It shouldn't even be possible to have services that sensitive with auth tokens that can't expire.