Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
unlock

GitHub Action

Bitbucket Server PAT Generator

2021.11.1 Pre-release

Bitbucket Server PAT Generator

unlock

Bitbucket Server PAT Generator

Generates a Bitbucket Server Personal Access Token

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Bitbucket Server PAT Generator

              
  uses: reecetech/[email protected]
Learn more about this action in reecetech/bitbucket-server-pat-generator

Choose a version

πŸͺ£ Bitbucket Server PAT Generator

🀝 Introduction

Bitbucket Server (nee Stash) can hand out Personal Access Tokens (PAT) to be used in-place of user+password authentication.

When machine (rather than human) access to Stash is required, ideally it should be via short-lived credentials. This GitHub Action will take user+password credentials, and use them to generate a PAT. Your GitHub Actions workflow should then use the PAT whenever authenticating to Stash.

Wait. What? πŸ€”

Why would you use a PAT if you have a user+password already?

Ideally this GitHub Action is used in conjunction with Hashicorp Vault, which will automatically rotate the Stash user's password (e.g. using the AD secrets engine). This means during an execution of a (relatively long running) GitHub Actions workflow, the password could change from the value originally obtained from Vault.

Obtaining a PAT allows us to avoid this issue, since the PAT will not be rotated (or used again).

Not perfect

This isn't the perfect way to go about getting a PAT from Stash for GitHub Actions when Vault is in the mix. The ideal solution is to create a new Vault secrets engine that would connect to Stash directly and generate the PAT. This would simplify the implementation on the GitHub Actions side, since you could just use the Hashicorp Vault Action.

We have chosen not to create a new Vault secrets engine, as we could deliver this GitHub Action more quickly and simply (as opposed to creating, building, publishing and installing a Vault plugin).

πŸ“„ Use

⌨️ Example

      - name: Get creds from Vault
        id: vault
        uses: hashicorp/[email protected]
        with:
          url: https://vault.example.org/
          method: jwt
          exportEnv: false
          secrets: |
              ad/creds/svc_github_stash username | username ;
              ad/creds/svc_github_stash current_password | password

      - name: Get PAT for Stash
        id: stash
        uses: reecetech/[email protected]
        with:
          base_url: https://stash.example.org/
          username: ${{ steps.vault.outputs.username }}
          password: ${{ steps.vault.outputs.password }}

      - name: Clone repo from Stash
        uses: reecetech/[email protected]
        with:
          url: https://stash.example.com/scm/example/repo.git
          username: ${{ steps.vault.outputs.username }}
          password: ${{ steps.stash.outputs.pat }}

πŸ“₯ Inputs

🚧 To be completed

name description required default

πŸ“€ Outputs

name description
username The username to connect to Stash
pat The personal access token to use to connect to Stash
pat_id The ID of the PAT which can be used to revoke the token

🚧 Limitations

Currently the Action will only generate PATs with REPO_WRITE and PROJECT_WRITE permissions. Further contributions are required to support either read-only or admin PATs.

πŸ’• Contributing

Please raise a pull request, but note the testing tools below

pylint

pylint is used to lint the Python code

See: https://pylint.org/