The annoying thing about those is that they force you to set an expiration date, with a maximum of one year from today.
For most of the things I need a PAT for this is a big frustration. I want to set up things like cron jobs that access specific data from specific repos - but I really don't want to have to remember to go and grant them a new token every 365 days.
Older PATs don't have this problem, which means I'm incentivized to continue using those even though they are much less secure because they grant a wider scope.
I want unlimited expiration on finely grained tokens.
My ideal implementation would include both easy revocation and good audit logging - I want to know when the token was last used, but ideally I'd like to know what it was used for and have details of where that request came from (I guess IP address would have to do for that). That way if my token leaks I can revoke it and analyze what happened using the audit log.
It talks about letting organizations set a policy saying "no token lasts more than X months" - I'd love it if this could expand to "... or set a policy that says unlimited tokens are allowed", since then I could set that for my own organizations and stop complaining about this!
I'm not sure why this was posted, but I assumed that it's because it's a very basic feature that's been on the roadmap for over 2 years with no progress?
Is there a new update? Has it been shipped? It doesn't look like it
The annoying thing about those is that they force you to set an expiration date, with a maximum of one year from today.
For most of the things I need a PAT for this is a big frustration. I want to set up things like cron jobs that access specific data from specific repos - but I really don't want to have to remember to go and grant them a new token every 365 days.
Older PATs don't have this problem, which means I'm incentivized to continue using those even though they are much less secure because they grant a wider scope.
I want unlimited expiration on finely grained tokens.
My ideal implementation would include both easy revocation and good audit logging - I want to know when the token was last used, but ideally I'd like to know what it was used for and have details of where that request came from (I guess IP address would have to do for that). That way if my token leaks I can revoke it and analyze what happened using the audit log.
I just found this roadmap item relating to this: https://github.com/github/roadmap/issues/599 - "Fine-grained PAT expiry policies for organizations"
It talks about letting organizations set a policy saying "no token lasts more than X months" - I'd love it if this could expand to "... or set a policy that says unlimited tokens are allowed", since then I could set that for my own organizations and stop complaining about this!