Restricting access with personal token classic on quarkusio org

[Guillaume Smet]

Hi,

At the end of April, I plan to ban all access to personal access token (classic) to the quarkusio org.

You will have to use a fine grained token to access the repositories under the org.

The classic ones are the legacy ones that have very flexible permissions.

So please do the switch to use fine grained token ASAP, and ping me if you encounter any issue when setting them up so that we can discuss the potential issues.

If you have any questions or don't know how to proceed, please also ping me.

Also, when setting up your fine grained token:

- please only select the minimum permissions required by this token

- create one token per purpose, add a description of the usage of this token

- please don't give them access to all repositories but carefully select the ones they need access to

This helps reduce the blast radius when a token is compromised.

Thanks for your cooperation.

-- 

Guillaume

[Georgios Andrianakis]

+1 for this!

I think that it would be very helpful for everyone if you did a screencast so people know exactly what you mean,  as GH token creation is not trivial 

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo_v8t9V2PfVJCjvBok6RhuuOWuAQdoiF6ee96Ng1iPyUQ%40mail.gmail.com.

[Guillaume Smet]

On Sat, Apr 4, 2026 at 2:07 PM 'Georgios Andrianakis' via Quarkus Development mailing list <quark...@googlegroups.com> wrote:

+1 for this!

I think that it would be very helpful for everyone if you did a screencast so people know exactly what you mean,  as GH token creation is not trivial 

Yeah, I agree they are not and the permissions can be quite obscure at times.

I'll try to prepare something but time is scarce these days :/.

-- 

Guillaume 

[Max Rydahl Andersen]

Yeah i struggle with them too. 

Can’t remember which permissions at needed in special cases. 

But i have learned gh cli commands exists for their creation so it’s at least possible to easily share - might be a good skill to make :)

Sent from my iPhone

On 4 Apr 2026, at 14:19, Guillaume Smet <guillau...@gmail.com> wrote:



--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo-WCifasiVpqLRW219%3DaE85gpKvzbk%2ByYmE2%3D1FtAi3%3DA%40mail.gmail.com.

[Guillaume Smet]

On Sat, Apr 4, 2026 at 7:13 PM 'Max Rydahl Andersen' via Quarkus Development mailing list <quark...@googlegroups.com> wrote:

Yeah i struggle with them too. 

Can’t remember which permissions at needed in special cases. 

But i have learned gh cli commands exists for their creation so it’s at least possible to easily share - might be a good skill to make :)

Maybe let's not trust probabilistic AI to handle your permissions?

[Max Rydahl Andersen]

That is not how it works though. 

By documenting what permissions are needed for various situations you can ask and it will list you the best matching options. 

Better than not being able to find the info and just go with “create one with all permissions” as it works.  

/max 

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo-vZNnUwbR6A%2Bach_t4snbq7cnBdfn_RC7AHTFiSdPRfA%40mail.gmail.com.

[Guillaume Smet]

On Sat, Apr 4, 2026 at 8:47 PM 'Max Rydahl Andersen' via Quarkus Development mailing list <quark...@googlegroups.com> wrote:

That is not how it works though. 

By documenting what permissions are needed for various situations you can ask and it will list you the best matching options. 

Better than not being able to find the info and just go with “create one with all permissions” as it works.

Sure, it already can give you very good advice, analyzing your workflows and suggesting permissions.

And I'm pretty sure it can give you good suggestions of permissions.

But they need very careful reviews before thinking about applying them. To which repositories you want to give the token access...

You were talking about using the gh cli and having a skill.

That's where I draw the limit.

It's too tempting to just trust it and let it run the commands, we all know that it will happen, especially given it's doing a marvellous job most of the time.

These things are extremely sensitive and dangerous, and you need careful consideration each time you create a new token.

-- 

Guillaume

[Max Rydahl Andersen]

I think you are misunderstanding how I use and suggest to use skills.

Easier to show it: https://github.com/maxandersen/skills/blob/main/gh-token/SKILL.md

I'm not sure if the suggested limits are what we'll recommend - 7,30,90 days might be too long given the new world order. Feedback welcome.

If you npx skills add https://github.com/maxandersen/skills/ now claude code and other coding agents will guide you how to create tokens given the advice/guidelines in that skill rather than its current generic recommendations.

fyi, there is no gh cli api to create tokens; I thought there was one to prepare the webui permission page but that seem to only work for classic PAT which we want to discourage. so this skill ends up solely being advisory:

Example after install:

I would like to create a token that should be allowed to push tags to maxandersen/skills in my ci jobs

⏺

Skill

(gh-token)

⎿  

Successfully loaded skill

·

3 tools allowed

⏺

Task:

Push tags to

maxandersen/skills

from CI jobs

Minimal permission:

Contents: Read and write

(tags are git refs; pushing them requires write access to contents) ---

Click to open:

https://github.com/settings/personal-access-tokens/new?name=ci-push-tags-maxandersen-skills

Fill in these settings:

┌───────────────────┬──────────────────────────────────────────────┐ │ Field │ Value │ ├───────────────────┼──────────────────────────────────────────────┤ │ Token name │

ci-push-tags-maxandersen-skills

(pre-filled) │ ├───────────────────┼──────────────────────────────────────────────┤ │ Expiration │

90 days

│ ├───────────────────┼──────────────────────────────────────────────┤ │ Resource owner │

maxandersen

│ ├───────────────────┼──────────────────────────────────────────────┤ │ Repository access │ Only selected →

maxandersen/skills

│ ├───────────────────┼──────────────────────────────────────────────┤ │

Permissions

│ │ ├───────────────────┼──────────────────────────────────────────────┤ │ Contents │ Read and write │ └───────────────────┴──────────────────────────────────────────────┘

(All other permissions stay "No access")

---

Store it as a repo secret

After generating, copy the token immediately (shown only once) and run: gh secret

set

GH_PUSH_TAGS_TOKEN --repo maxandersen/skills --body

"<token>"

▎

Never paste the token value into a chat or file.

If it's exposed, revoke it immediately.

---

Workflow

permissions:

block

Since this token is used as a secret (not

GITHUB_TOKEN

), the workflow permissions block is for

GITHUB_TOKEN

lockdown — keep it minimal:

permissions:

contents:

read

# GITHUB_TOKEN doesn't need write; use GH_PUSH_TAGS_TOKEN for tagging

In the step that pushes tags, use: -

name:

Push

tag

env:

GH_TOKEN:

${{

secrets.GH_PUSH_TAGS_TOKEN

}}

run:

|

git tag v1.2.3

git push https://x-access-token:${GH_TOKEN}@github.com/maxandersen/skills.git --tags

---

..for these i kept them rather generic but we could have one in quarkus-dev/skills that is more guided towards quarkus and quarkiverse specific guidance. Here it could also link to more specific docs if we dont want to repeat something that exist elsewhere.

Thats for me is a good use of skills.md.

what do you think about it ?

--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo-PV5OSZ8GKfDQEuPNRy4Ht82-QRHPeue38MseaKCu_UQ%40mail.gmail.com.

--

/max

https://about.me/maxandersen