Create ephemeral, finely-scoped @github access tokens using @hashicorp Vault.
A release focused on optimizations for using the plugin at significant scale based on feedback from large enterprise deployments.
exclude_repository_metadata
.goreleaser
).github.com/martinbaillie/copiedloopvarfixer
over codeinterface{}
with any
With this release, the plugin is moving to a model where it can support multiple GitHub App installations from the one mount. It does this in v2 by moving the configuration of GitHub App installation IDs (installation_id
) to request time rather than configuration time.
Users can provide the installation_id
as part of ad-hoc requests to the /token
endpoint but are encouraged instead to utilise the powerful Permission Sets feature to persist and abstract away the installation_id
parameter from the user entirely. By creating a permission set you only need to enter the installation_id
once.
For convenience and to support another use case, the token and permission set endpoints can alternatively take an org_name
value instead of an installation_id
. In this case, the plugin will perform an additional lookup (roundtrip to your GitHub instance) against org_name
to discover the current installation_id
first during token creation flows. Note that there is no caching of the discovered installation_id
so this extra lookup occurs every time. For high traffic mounts or permission sets you may wish to continue setting installation_id
instead of org_name
.
Breaking Changes:
v2.0.0-rc.1
The plugin is moving to a model where it can support multiple GitHub App installations from the one mount. It does this in v2 by moving the configuration of GitHub App installation IDs (ins_id
) to request time rather than configuration time.
Users can provide the ins_id
as part of ad-hoc requests to the /token
endpoint but are encouraged instead to utilise the powerful Permission Sets feature to abstract away the ins_id
parameter entirely.
Breaking Changes:
v2.0.0
.v1.3.0
New features:
org_name
config value that can be used to discover the GitHub App installation ID from the organisation instead of providing it explicitly.v1.2.0
New features:
repositories
parameter that allows you to specify token repository constraints by name instead of ID!v1.1.1
Bug fixes:
v1.0.0
After running this in production at $WORK for the best part of a year, I'm releasing a v1.0.0.
This version also fixes https://github.com/martinbaillie/vault-plugin-secrets-github/issues/6 and implements the requests in https://github.com/martinbaillie/vault-plugin-secrets-github/issues/9.
v1.0.0-alpha