🔥Let’s Do DevOps: Updating Your TF and Action Dependencies on GitHub Repos with Dependabot🔥

aka, simple bash scripts rule

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

This article is available on LetsDoDevOps for free, please subscribe there to support my work

Hey all!

Like most GitHub Enterprise and Org admins, I feel like I’ve got a pretty good handle on the security of the Org. For instance, we use SSO (Single Sign-On) for our users, so if anyone leaves the Org, we disable their access to the Org code, as well as their SSH keys. This is all automated and pretty well instant, and doesn’t keep me up at night.

However, there is one feature of GitHub that *does* keep me up at night — Repository Deploy Keys. Repo Deploy Keys are a really flexible feature of GitHub, which allows an SSH key to be created inside a Repo, and grant direct access to the code.

That sounds great, but note a very important distinction here — the Repo Deploy Key isn’t under any user or other identity — it’s a direct key to the Repo. If someone has a copy of that key, and leaves your Org, does the key stop working? Nope, they continue to have consistent access to your code, and if the little box is checked, push access too.