[18329] in athena10
Re: Fwd: [ACTION REQUIRED] Your GitHub account, athena-github-sync, will soon
daemon@ATHENA.MIT.EDU (Geoffrey Thomas)
Tue Dec 5 20:53:06 2023
MIME-Version: 1.0
Message-ID: <c89e2ade-3114-4458-813a-24c2737d200d@app.fastmail.com>
In-Reply-To: <CA+fWxRL5G-PhPvQLSQMz0k_kTmMzn7ixAg0j8EPoeTP1AFFVwQ@mail.gmail.com>
Date: Tue, 05 Dec 2023 20:51:52 -0500
From: "Geoffrey Thomas" <geofft@ldpreload.com>
To: "Lizhou Sha" <slz@mit.edu>
Cc: debathena@mit.edu
Content-Type: multipart/alternative;
boundary=e718f56d7fa247008e2bbf93ca090299
--e718f56d7fa247008e2bbf93ca090299
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Ah, right, deploy keys can write these days, but you have to set them up=
per-repository, and you can't use the same SSH key for multiple reposit=
ories, which is maybe annoying. (Or maybe scriptable.)
I *think* you can create a GitHub App, store the private key on drugstor=
e, and on each hook call, sign a JWT with that private key and use that =
to get a short-lived "installation access token", which you can then use=
as a password for git+https with username "x-access-token": https://doc=
s.github.com/en/authentication/connecting-to-github-with-ssh/managing-de=
ploy-keys#github-app-installation-access-tokens You can simplify this by=
installing a Git credential helper and pointing it at the private key. =
Looks like there are a few implementations of this already, e.g. https:/=
/github.com/Avinode/git-credential-github-apps and https://github.com/uw=
-ipd/git-credential-github-app-auth.=20
But that GitHub docs page also talks about machine users in the next sec=
tion, so that makes it sound like it's reasonable to keep the machine us=
er approach.
There's a handful of easy ways to do TOTP from the command line e.g. htt=
ps://github.com/pyauth/pyotp so we could keep the seed on disk (on drugs=
tore or demeter or even AFS) for whenever someone needs to log in intera=
ctively.
--=20
Geoffrey Thomas
geofft@ldpreload.com
On Tue, Dec 5, 2023, at 6:57 PM, Lizhou Sha wrote:
> I thought this is the account that is used by Debathena git repo hooks=
to push from local copy to GitHub. I don't think GHA is appropriate in =
this case.
>=20
> We can however explore whether we can use GitHub action to perform the=
pre-commit hooks for validation.
>=20
> OAuth token is certainly a possibility, but doesn't it still require a=
n account to issue those tokens in the first place?
>=20
>=20
> I like the idea of keeping the TOTP token on the build host or the Deb=
athena git repo host (drug-store?). We can even keep it in a KeePass dat=
abase, as KeePassXC comes with built-in TOTP capabilities. (Problem: are=
we comfortable installing KeePassXC on the repo host and allowing X-For=
warding??? Or is there a command line thing that can do TOTP?)
>=20
> Best,
> Lizhou
>=20
> On Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas <geofft@ldprelo=
ad.com> wrote:
>> __
>> GitHub has pretty good support these days for automation through GitH=
ub Actions and OAuth tokens and such, without needing an actual account.=
What is this account doing / can we migrate it to GHA?
>>=20
>> --=20
>> Geoffrey Thomas
>> geofft@ldpreload.com
>>=20
>> On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sha wrote:
>>> What do?
>>>=20
>>> ---------- Forwarded message ---------
>>> From: *GitHub* <noreply@github.com>
>>> Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM
>>> Subject: [ACTION REQUIRED] Your GitHub account, athena-github-sync, =
will soon require 2FA
>>> To: Athena Github Synchronization Robot <athena-github-sync@mit.edu>
>>>=20
>>>=20
>>> Hey athena-github-sync!
>>>=20
>>>=20
>>>=20
>>> We're reaching out to let you know that, as announced last year, we =
have officially begun requiring users who contribute code on GitHub.com =
to have two-factor authentication (2FA) enabled.
>>>=20
>>> Your account meets this criteria, and you will need to enroll in 2FA=
within 45 days, by January 19th, 2024 at 00:00 (UTC). After this date, =
your access to GitHub.com will be limited until you enroll in 2FA. Enrol=
ling is easy, and we support several options, starting with TOTP apps an=
d text messages (SMS) and then adding on passkeys and the GitHub Mobile =
app.
>>>=20
>>> Click here to enroll in 2FA <https://github.com/settings/two_factor_=
authentication/setup/intro>.
>>>=20
>>> Making the software supply chain more secure is a team effort, and w=
e can't do it without you. Your enrollment in 2FA is an impactful step i=
n keeping the world's software secure. If you want to learn more about t=
his change, please take a look at our documentation about the program <h=
ttps://docs.github.com/authentication/securing-your-account-with-two-fac=
tor-authentication-2fa>.
>>>=20
>>> To see this and other security events for your account, visit your a=
ccount security audit log. <https://github.com/settings/security-log>
>>>=20
>>> If you run into problems, please contact support by visiting the Git=
Hub support page. <https://github.com/contact>
>>>=20
>>>=20
>>>=20
>>> Thanks,
>>> The GitHub Team
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>> --
>>> Lizhou Sha
>>> Class of 2018
>>=20
>=20
>=20
> --
> Lizhou Sha
> Class of 2018
--e718f56d7fa247008e2bbf93ca090299
Content-Type: text/html;charset=utf-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div>Ah, right, depl=
oy keys can write these days, but you have to set them up per-repository=
, and you can't use the same SSH key for multiple repositories, which is=
maybe annoying. (Or maybe scriptable.)<br></div><div><br></div><div>I <=
i>think</i> you can create a GitHub App, store the private key on drugst=
ore, and on each hook call, sign a JWT with that private key and use tha=
t to get a short-lived "installation access token", which you can then u=
se as a password for git+https with username "x-access-token": <a href=3D=
"https://docs.github.com/en/authentication/connecting-to-github-with-ssh=
/managing-deploy-keys#github-app-installation-access-tokens">https://doc=
s.github.com/en/authentication/connecting-to-github-with-ssh/managing-de=
ploy-keys#github-app-installation-access-tokens</a> You can simplify thi=
s by installing a Git credential helper and pointing it at the private k=
ey. Looks like there are a few implementations of this already, e.g. <a =
href=3D"https://github.com/Avinode/git-credential-github-apps">https://g=
ithub.com/Avinode/git-credential-github-apps</a> and <a href=3D"https://=
github.com/uw-ipd/git-credential-github-app-auth">https://github.com/uw-=
ipd/git-credential-github-app-auth</a>. <br></div><div><br></div><div>Bu=
t that GitHub docs page also talks about machine users in the next secti=
on, so that makes it sound like it's reasonable to keep the machine user=
approach.<br></div><div><br></div><div>There's a handful of easy ways t=
o do TOTP from the command line e.g. <a href=3D"https://github.com/pyaut=
h/pyotp">https://github.com/pyauth/pyotp</a> so we could keep the seed o=
n disk (on drugstore or demeter or even AFS) for whenever someone needs =
to log in interactively.<br></div><div><br></div><div id=3D"sig99062392"=
><div class=3D"signature">-- <br></div><div class=3D"signature">Geo=
ffrey Thomas<br></div><div class=3D"signature">geofft@ldpreload.com<br><=
/div></div><div><br></div><div>On Tue, Dec 5, 2023, at 6:57 PM, Lizhou S=
ha wrote:<br></div><blockquote type=3D"cite" id=3D"qt" style=3D""><div d=
ir=3D"ltr"><div>I thought this is the account that is used by Debathena =
git repo hooks to push from local copy to GitHub. I don't think GHA is a=
ppropriate in this case.<br></div><div><br></div><div><div>We can howeve=
r explore whether we can use GitHub action to perform the pre-commit hoo=
ks for validation.<br></div><div><br></div><div><div>OAuth token is cert=
ainly a possibility, but doesn't it still require an account to issue th=
ose tokens in the first place?<br></div><div><br></div></div><div><br></=
div><div>I like the idea of keeping the TOTP token on the build host or =
the Debathena git repo host (drug-store?). We can even keep it in a KeeP=
ass database, as KeePassXC comes with built-in TOTP capabilities. (Probl=
em: are we comfortable installing KeePassXC on the repo host and allowin=
g X-Forwarding??? Or is there a command line thing that can do TOTP?)<br=
></div><div><br></div><div>Best,<br></div><div>Lizhou<br></div></div></d=
iv><div><br></div><div class=3D"qt-gmail_quote"><div dir=3D"ltr" class=3D=
"qt-gmail_attr">On Tue, Dec 5, 2023 at 5:19=E2=80=AFPM Geoffrey Thomas &=
lt;<a href=3D"mailto:geofft@ldpreload.com">geofft@ldpreload.com</a>> =
wrote:<br></div><blockquote class=3D"qt-gmail_quote" style=3D"margin-top=
:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-wi=
dth:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);pad=
ding-left:1ex;"><div class=3D"qt-msg2288010974555349326"><div><u></u><br=
></div><div><div>GitHub has pretty good support these days for automatio=
n through GitHub Actions and OAuth tokens and such, without needing an a=
ctual account. What is this account doing / can we migrate it to GHA?<br=
></div><div><br></div><div id=3D"qt-m_2288010974555349326sig99062392"><d=
iv>-- <br></div><div>Geoffrey Thomas<br></div><div><a href=3D"mailt=
o:geofft@ldpreload.com" target=3D"_blank">geofft@ldpreload.com</a><br></=
div></div><div><br></div><div>On Tue, Dec 5, 2023, at 5:39 PM, Lizhou Sh=
a wrote:<br></div><blockquote type=3D"cite" id=3D"qt-m_22880109745553493=
26qt"><div dir=3D"ltr"><div>What do?<br></div><div><br></div><div><div d=
ir=3D"ltr"><div>---------- Forwarded message ---------<br></div><div>Fro=
m: <b dir=3D"auto">GitHub</b> <span dir=3D"auto"><<a href=3D"mailto:n=
oreply@github.com" target=3D"_blank">noreply@github.com</a>></span><b=
r></div><div>Date: Tue, Dec 5, 2023 at 2:21=E2=80=AFPM<br></div><div>Sub=
ject: [ACTION REQUIRED] Your GitHub account, athena-github-sync, will so=
on require 2FA<br></div><div>To: Athena Github Synchronization Robot <=
;<a href=3D"mailto:athena-github-sync@mit.edu" target=3D"_blank">athena-=
github-sync@mit.edu</a>><br></div></div><div><br></div><div><br></div=
><p>Hey athena-github-sync!<br></p><p><br></p><p>We're reaching out to l=
et you know that, as announced last year, we have officially begun requi=
ring users who
contribute code on GitHub.com to have two-factor authentication (2FA) =
enabled.<br></p><p>Your account meets this criteria, and you will need t=
o enroll in 2FA within 45 days, by January 19th, 2024 at 00:00 (UTC). Af=
ter this
date, your access to GitHub.com will be limited until you enroll in 2F=
A. Enrolling is easy, and we support several
options, starting with TOTP apps and text messages (SMS) and then addi=
ng on passkeys and the GitHub Mobile
app.<br></p><p><a href=3D"https://github.com/settings/two_factor_authe=
ntication/setup/intro" target=3D"_blank">Click here to enroll in 2FA</a>=
.<br></p><p>Making the software supply chain more secure is a team effor=
t, and we can't do it without you. Your enrollment in
2FA is an impactful step in keeping the world's software secure. If yo=
u want to learn more about this change,
please take a look at our <a href=3D"https://docs.github.com/authentic=
ation/securing-your-account-with-two-factor-authentication-2fa" target=3D=
"_blank">documentation about the program</a>.<br></p><p>To see this and =
other security events for your account, visit <a href=3D"https://github.=
com/settings/security-log" target=3D"_blank">your account security audit=
log.</a><br></p><p>If you run into problems, please contact support by =
visiting <a href=3D"https://github.com/contact" target=3D"_blank">the Gi=
tHub support page.</a><br></p><p><br></p><div>Thanks,<br></div><div>The =
GitHub Team<br></div><p><br></p><p><br></p></div><div><br></div><div><br=
></div><div><span>--</span><br></div><div dir=3D"ltr"><div dir=3D"ltr"><=
div>Lizhou Sha<br></div><div>Class of 2018<br></div></div></div></div></=
blockquote><div><br></div></div></div></blockquote></div><div><br></div>=
<div><br></div><div><span class=3D"qt-gmail_signature_prefix">--</span><=
br></div><div dir=3D"ltr" class=3D"qt-gmail_signature"><div dir=3D"ltr">=
<div>Lizhou Sha<br></div><div>Class of 2018<br></div></div></div></block=
quote><div><br></div></body></html>
--e718f56d7fa247008e2bbf93ca090299--
