I made a test app which uses github’s graphQL api. For using this api the personal access token has been placed inside the code. Now whenever I commit the code with token, I get email from github which has title: "Action needed: GitHub access token found in commit, any app using this secret may be affected".
How should I commit the personal access token in my code? Or should I never commit such tokens in the code? If not, then where should I keep these tokes? So that I can access these tokens whenever the grapQL api is called.
PS: I am creating this app using vue3 only
1
2 Answers
Never publish them on any open platform! There are many safe options, e.g. store tokens in a file that is ignored by git (but then you’ll have to make sure you manually put this file in every clone of your repository). Or you can set up an environment variable in your operating system with your token.
For your current situation, you better generate a new token and never share it. Or a less secure option would be to use some external tool that overrides git history, so that you can purge the file that contains the token from the older commits (but the Internet never forgets, it doesn’t guarantee that noone has stolen your token already). An article about how to remove something leaked to GitHub
ANSWER:
Just add some random special char in your token like:
Original token:
github_token-1234567
Change to:
github_token-123?4?5?6?7 // Add some "?"
then in your code you just remove the chars you add:
const encodedToken = 'github_token-123?4?5?6?7'
const decodedToken = token.replaceAll('?', '')
console.log(decodedToken) // here you have your token, just use as you want.
DISCLAIMER: There’s no problem on letting your personal access token public if you didn’t grant any sensitive privilegies to it.
I had to set up a github-pages with my GITHUB token for a simple demo application, and every time github detects the token, so I figured out this solution.
A more elegant solution would be encode your token to base64 then decode it, but it seems currently github is detecting base64 encoded tokens.
@AlexeyLarionov feel free to post your comment as an answer.
Mar 25, 2022 at 12:23