Skip to content

Update recommendations on GitHub token usage, pushing users towards fine-grained tokens #12553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update recommendations on GitHub token usage, pushing users towards fine-grained tokens #12553

wants to merge 1 commit into from

Conversation

@mpdude
Copy link
Contributor

@mpdude mpdude commented Sep 24, 2025
edited
Loading

The recent events in the NPM ecosystem reminded us all of how important it is to keep access tokens for services like GitHub, NPM etc. secure.

So, let's occupy some more screen estate and push developers to more carefully decide which kind of GitHub token is really necessary for their use case.

@mpdude mpdude mentioned this pull request Sep 24, 2025
Open
@mpdude
Copy link
Contributor Author

mpdude commented Sep 24, 2025

Test failures seem to have other causes

@Seldaek Seldaek added this to the 2.9 milestone Sep 24, 2025
@mpdude
Copy link
Contributor Author

mpdude commented Sep 24, 2025

Maybe we can additionally clarify that the private repo use case only applies when Composer needs to load data for such repositories that are configured as vcs repos?

When private repos are tracked through e. g. Satis (or probably Private Packagist?) and cloned through SSH URLs, a public-only (no-scope) token should be enough, not?

@Seldaek
Copy link
Member

Seldaek commented Oct 31, 2025

Maybe we can additionally clarify that the private repo use case only applies when Composer needs to load data for such repositories that are configured as vcs repos?

When private repos are tracked through e. g. Satis (or probably Private Packagist?) and cloned through SSH URLs, a public-only (no-scope) token should be enough, not?

Yes, if you use Private Packagist and just use zip/dists, you should not need any GitHub token at all locally.. For source installs then yeah ssh should be enough. If you want to edit feel free but otherwise I am happy to merge as is. Just let me know :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.9

Development

Successfully merging this pull request may close these issues.

2 participants

@mpdude @Seldaek