The actual benefits in using GitHub App authentication for Azure Pipelines (instead of OAuth or PAT)?

2
votes

There's a documentation for Azure Pipelines that elaborates what kind of authentications can be done to access GitHub repositories: GitHub App, OAuth and Personal Access Token. (https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#github-app-authentication)

The documentation says that the GitHub App authentication is the "recommended" one but later it does not really turn out why this is the case... E.g. there is one interesting thing that worked with GitHub App authentication: Creating a yaml pipeline where you define a container ACR resource with a "latest" trigger. With the correct ARM Service Connection from the yaml somehow Azure DevOps is creating an Webhook for the specific ACR however if you use PAT it is not the case.

Is there an actual best practice for the authentication type? Or generally a good argument why one is better than the other?

1
azureazure-devopsazure-pipelines

1 Answers

1
votes

A personal Access Token and an OAuth token link Azure Pipelines to GitHub with your user account. Your access token will be used to download the repo and the pipeline could access the token to access any repository your user has access to. While often convenient, it's a problem since you may not be the only person using the integration, so others could use your credentials by changing the pipeline.

The user bound tokens also have the problem that the owner of that user account may leave the company, breaking all pipelines, or worst, requiring quite a bit of reconfiguration to make sure that user loses all the access to the repositories the pipeline has access to.

The GitHub App will allow you to configure exactly what repositories should be allowed to be accessed by Azure Pipelines. It's decoupled from your user account and the access can be limited to just the repositories you want.