zet

Whether to use GitHub PAT or SSH key pair or deployment key?

Personal access tokens and ssh key pairs are functionally equivalent. So why use one over the other?

One option is to setup personal access tokens on the account that has ownership of the private dependency:

• PATs provide granular access considerations (read-only, repo-specific, etc.)
• PAT allows for specific TTL but require regularly resetting expirations
• PATs are generated by the GitHub service requiring web GUI access

Another is to create a generic account and add it as a collaborator to the dependent repo:

• SSH keys provide open access to anything the associated GitHub account can access
• SSH keys are generally considered forever
• SSH keys require adding generic user as collaborator to dependencies
• SSH keys are generated by ssh-keygen independently

Either way, any private dependency requires that the private dependency owner explicitly grant access to the dependency. PAT requires regular re-authorization as the tokens expire, SSH does not.

Because SSH keys are associated with an external user ID (and not the ID that owns the repo) read-only access may be granted to an entire team to that generic user ID. This is by far the least problematic when dealing with “innersource” GitHub Enterprise Cloud architectures. Even better, the secret key for that user can be added as an organization key that is associated with all the repos to which that generic ID should be granted read-only access.

This site is open source. Improve this page.