Working on CI/CD - suggestions for following scena...
# general
Working on CI/CD - suggestions for following scenario. We are an Azure DevOps shop. Set up kind of a shell Github team so that we could federate with Pulumi stack permissions. But I want a token for a "service account". How to accomplish this with Pulumi/Github. Or create a user that's aliased to our team email, sign them up for Github etc etc. TL;DR - what accounts are y'all granting tokens to for API access.
i ended up using a personal token for ci/cd as well. would be nice to have team managed tokens
Yes - creating a “bot” user for this is a pretty standard approach. That user can then be given appropriate permissions and you can use tokens for that not user in CI. For example we use ourselves. We have thought about adding “service tokens” separate from users, but these need to have most of the capabilities of users (RBAC). We’ll look into this further.
Cc @colossal-beach-47527
Pretty much what Luke said. I definitely see us adding an easy way to support robot account tokens, etc. But for today the best practice is to create a CI/CD-specific access token, perhaps with a separate GitHub account. (So that you can set access controls differently for that robot account than yourself.) We’ve also considered being able to limit the scope of resources a personal access token has access to as well… There are a lot of good features to enable in this area, it’s just a matter of adding them 🙂
Appreciate the feedback - will set up a "bot" user for now