Now we wait another five years for the ability to share deploy keys across repositories. If you have more than one project in your CI deployable app (for example a couple of internal python libraries), you can't use the same deploy keys. Their suggestion, "don't use modules, package everything in one application or use a full key". Now deploy keys can be R/O (fantastic), this limitation is double annoying.
Rather than using Deploy Keys at all it seems completely better in almost every way to create a fake GitHub user and use its account's regular SSH key. You can, using Teams, give that user read-only access to whichever repo(s) it needs access to for deployment.
I don't know about your use-case, but in my experience by far the greatest use of these keys is (as they say in the linked article) for use by continuous integration servers. Some folks tag each build (if it creates an artifact), and almost everyone tags release builds created by CI. Thus, these keys need to be R/W to push tags back up.
Fine, let's be picky. Pushing a new tag onto an existing commit is a vastly smaller privilege than being able to push objects and point branches at them.
You can have a read-write user on your CI server, but use a read-only user for any remote server where code is deployed. It's bad security policy that GitHub ever allowed deploy keys to be RW.
API access is a lot more permissive. A deploy key only have access to 1 repo, but there's no way to limit API tokens to a single repo (and by default they have access to all repos in all organizations the issuer of a token have access to).
You can't give read only Oauth access to private repos....it has to be read/write. Which means if you want to use online CI tools with those private repos....you've got to hope they don't either turn malicious, or they get hacked and have their keys copied.
Some people using manual tagging as a mechanism to communicate something to CI as you suggest, but others let CI tag successful builds. When I re-did my team's CI a few years ago I chose the latter because it creates less friction for continuous deployment -- every commit which passes the tests automatically becomes a deployable artifact with a monotonically increasing build number which can be tracked across SCM, CI, and deployment.
Heh, you've never worked with a project/product manager, have you? "Yes, ma'am, version 1b6411f has been deployed successfully. Now I just need to edit the pom and bump the version to 2e1080d"
Yep, and there was a big fat warning in the documentation saying that they had full access to the repo. Couple this with being able to be used on only a single repo - github blocks other repos from using the same key - and you may as well just make a normal github account for your deploy system and manage it that way...
It's weird that they didn't have an option to write only for tags. "CI build X"...
Yeah, one or more deployment accounts is the approach I've seen most "in the wild". Machine users[1] with tightly scoped access to a collection of repos. Access can then be managed through the relevant Read-only GitHub team.
It's ridiculous it has taken GitHub so long to provide this basic functionality. Judging by comments on this thread, it looks like a lot of people assumed the keys were already read-only. And i'm not surprised because GitHub has never made it explicitly clear in documentation and their website that the keys had full write access!
I stopped using deploy keys long ago because of the security issue and instead opted to create additional github users with read-only access for each use case.
Why did GitHub call these "deploy" keys if they had write access? Why would a deploy user need full write privileges to a repository to deploy something?
I asked Zach Holman at one of his tech talks a couple years ago and he replied (paraphrasing): "Yes read/write deploy keys are not ideal. That's why we don't ourselves use deploy keys at GitHub, and in fact we regret that the feature exists." I think he used an expression like "deploy keys are a red-headed stepchild".
I like to pride myself on never having used a clumsy phrase like that. That said, machine users were en vogue at GitHub, although maybe that's changing with more consideration being given to deploy keys nowadays.
Sorry, I believe you used a more palatable expression than that, but having a similar meaning.
Edit: and to paint a more complete picture, you pointed out in your answer that many folks were using deploy keys to promote from a development branch to the master branch. Some commenters in this thread may, like myself, just not have thought to use deploy keys for this purpose, or that others would want to.
Now we just need branch restricted keys & keys that aren't allowed to force push (both of these would make me feel a lot better about using certain 3rd party automation in combination with my github repos).
Not that I really expect that to happen anytime soon, I believe others have been asking for the above for quite some time.
I always thought that deploy keys are read-only. I can't understand why one would need a special interface to add a read-write key that is the same as any other key you add manually.
Iirc only the owner can create deploy keys, so it wasn't a feature aimed to teams either.
Not sure the best route, but the ugly route I know of is place the user in a group wich just have read-only. I am really shocked GH doesn't actually make role-based more granular. I have to add a group to a repository, and can't have the option now to add user to a repository....
