githubpersonal-access-token

using Github personal access token on a public website


I have a website that displays records from a database. I have set up a feedback form so if someone spots a mistake in a record, they can report it so it can be set right. I use a Github Personal Access Token (PAT) to create a Github issue when the form is submitted, and then the appropriate team member is notified. It all works fine, but my questions:

  1. This is potentially opening up the possibility of spam issues being created. How can I catch that? I have also set up a question-answer barrier before the user can submit the form (to determine it is not a robot trying to create fake issues) but, of course, this is not fool-proof.

  2. The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?

  3. Any other gotchas I should be aware of before I unroll this to public users?


Solution

  • The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?

    As documented, a PAT only expires if you selected an expiration period at its creation:

    https://docs.github.com/assets/images/help/settings/token_expiration.png

    For creating issues, make sure you have selected only the scope public_repo or repo permission on your Personal Access Token.

    Note sure about issue spam, except for reporting those when you see them.