🪣
Bitbucket Server PAT Generator
🤝
Introduction
Bitbucket Server (nee Stash) can hand out Personal Access Tokens (PAT) to be used in-place of user+password authentication.
When machine (rather than human) access to Stash is required, ideally it should be via short-lived credentials. This GitHub Action will take user+password credentials, and use them to generate a PAT. Your GitHub Actions workflow should then use the PAT whenever authenticating to Stash.
Wait. What?
Why would you use a PAT if you have a user+password already?
Ideally this GitHub Action is used in conjunction with Hashicorp Vault, which will automatically rotate the Stash user's password (e.g. using the AD secrets engine). This means during an execution of a (relatively long running) GitHub Actions workflow, the password could change from the value originally obtained from Vault.
Obtaining a PAT allows us to avoid this issue, since the PAT will not be rotated (or used again).
Not perfect
This isn't the perfect way to go about getting a PAT from Stash for GitHub Actions when Vault is in the mix. The ideal solution is to create a new Vault secrets engine that would connect to Stash directly and generate the PAT. This would simplify the implementation on the GitHub Actions side, since you could just use the Hashicorp Vault Action.
We have chosen not to create a new Vault secrets engine, as we could deliver this GitHub Action more quickly and simply (as opposed to creating, building, publishing and installing a Vault plugin).
📄
Use
⌨️
Example
- name: Get creds from Vault
id: vault
uses: hashicorp/[email protected]
with:
url: https://vault.example.org/
method: jwt
exportEnv: false
secrets: |
ad/creds/svc_github_stash username | username ;
ad/creds/svc_github_stash current_password | password
- name: Get PAT for Stash
id: stash
uses: reecetech/[email protected]
with:
base_url: https://stash.example.org/
username: ${{ steps.vault.outputs.username }}
password: ${{ steps.vault.outputs.password }}
- name: Clone repo from Stash
uses: reecetech/[email protected]
with:
url: https://stash.example.com/scm/example/repo.git
username: ${{ steps.vault.outputs.username }}
password: ${{ steps.stash.outputs.pat }}
📥
Inputs
| name | description | required | default |
|---|
📤
Outputs
| name | description |
|---|---|
| username | The username to connect to Stash |
| pat | The personal access token to use to connect to Stash |
| pat_id | The ID of the PAT which can be used to revoke the token |
🚧
Limitations
Currently the Action will only generate PATs with REPO_WRITE and PROJECT_WRITE permissions. Further contributions are required to support either read-only or admin PATs.
💕
Contributing
Please raise a pull request, but note the testing tools below
pylint
pylint is used to lint the Python code
See: https://pylint.org/
1 Feb 15, 2022
5 Jan 14, 2022
14 Sep 29, 2021
104 Jan 2, 2023
61 Dec 10, 2022
5 Dec 3, 2022
23 Oct 26, 2021
7 Jan 5, 2023
4 Sep 2, 2022
0 Jul 17, 2021
13 Dec 20, 2021
30 Dec 07, 2022
1 Jan 21, 2022
4.8k Jan 06, 2023
33 Jan 03, 2023
1 Aug 30, 2022
162 Dec 21, 2022
147 Dec 15, 2022
50 Nov 24, 2022
265 Dec 28, 2022
3 Aug 07, 2021
1 Oct 28, 2022
5 Dec 20, 2022
13 Nov 12, 2022
5 Jul 21, 2022
4 Dec 23, 2021
4 Sep 02, 2022
60 Jan 03, 2023
57 Nov 04, 2022