Matt White

Matt White


Matt White


| blog
| categories
| tags
| rss

Work Around Poor Access Control: Limit GitHub Access Tokens to Specific Repos

Irrelevant Context

I recently decided to migrate my JetBrains IDE settings from their automatic settings sync over to storing the settings in a repository - with far-off hopes that it’ll be less annoying and inconsistent.

I created blank repos to store settings for GoLand, PyCharm, WebStorm, and DataGrip.

The frustrating part is that the JetBrains repo sync doesn’t seem to support SSH, so my usual auth method is out; for my IDEs to use these repos, I have to set up a GitHub personal access token for JetBrains to use - and there’s currently no built-in way to limit access tokens to specific repositories. I only want the JetBrains access token to work for the settings repositories, specifically.

The Workaround: Blank GitHub Collaborator Accounts

It’s pretty straightforward to create a GitHub account. Tada. And it may be wise to enable 2FA for good measure.

New GitHub Collaborator Account

Send the invites on your primary account

Now on each of the desired repositories, I go to Settings > Manage Access > Invite a collaborator.

Invite a collaborator

Accept the invites on your collaborator account

Actually finding these invitations in the collaborator account is far harder than it should be. Invitations are supposed to show up in GitHub notifications, but this isn’t true for me. The 2 ways that worked for me include 1) via the invitation email GitHub sends or 2) navigating to<your_account>/<your_invite_repo>/invitations directly. Obviously you need to be logged into the collaborator account.

Invitation Email

Accept Invitation on GitHub

Generate a personal access token on your collaborator account

Heading on over to Settings > Developer Settings > Personal Access Tokens, the new token is ripe for the generating.

Generate Access Token

We’re still forced to use an overly broad scope (because GitHub), but at least the token only has access to the specific repositories we set up.

Generate Access Token

Copy the plaintext token which, like us, is transient and won’t be accessible later.

Copy Access Token

And now you have your personal access token with limited repository access.

Learn by doing.