Hey folks! @talves asked us to sound off as to whether his approach was problematic and the answer is “not for Netlify, but maybe for you?” This article around “how to access repositories during build” shows some patterns similar to Tony’s:
That is talking about reading, but the permissions you grant at your git provider will determine if you can push or just pull; the config is identical here.
I do think you’d want to be EXTREMELY careful about committing anything giving you access to your git repo, TO your git repo - one leak of source code and people can add backdoors to your code. I and Netlify always try to keep secrets out of code. One place you can add them is in our environment variables as Tony mentions; the ones in our UI are safe from anyone who doens’t have access to your team’s admin pages.
Since I think Tony may be writing this up in more detail, also wanted to point out a different way to approach the same problem - pushing during build - I do it using SSH keys directly and demonstrate how, here:
I don’t think the GH “native” auth tokens are so long or oddly formatted that you’d need to go to that level, so it is probably smarter to use them instead, but I always like to present a few solutions if they are available and let you survey and choose…