[Request for Feedback] Expiration policies and lifetime changes for PATs #141929

hpsin · 2024-10-18T20:07:01Z

hpsin
Oct 18, 2024

We've launched the ability to restrict PAT lifetimes if the PAT is going to be used against your organization or resource. As part of this change, we've also allowed fine-grained PATs to be created without an expiration.

The default policy for all orgs and enterprises retains the existing 366 day maximum for fine-grained PATs.

Please check out the changelog for more details, and let us know what you think!

Known issues

Fixed: Editing a token was triggering a 404 page with an error message about the lifetime policy.

mve · 2024-10-19T10:15:51Z

mve
Oct 19, 2024

I'm having some trouble creating a token without an expiration.

In the org i've unchecked "Fine-grained personal access tokens must expire".
Then on this page I'm trying to create a new fine-grained PAT. I've set the resource owner to the org but I don't see the option to have no expiration date. I only see 7 - 90 days and custom only goes to 1 year. The org is on the "free" plan and I am an owner of the org.

4 replies

hpsin Oct 19, 2024
Author

Thanks! This should be fixed now, we had a feature flag stuck.

mve Oct 20, 2024

Perfect, I see the option now! Thanks for this new feature. This was the main reason I was still using classic tokens for some use cases.

StanislavUhimenko Apr 14, 2025

DRIUJ

StanislavUhimenko Apr 14, 2025

https://github.githubassets.com/assets/ui/packages/memex/src/client/components/board/hooks/use-is-visible.tsx

HikaruEgashira · 2024-10-21T06:21:56Z

HikaruEgashira
Oct 21, 2024

I'm trying to enable this policy in the enterprise.

After enabling this option, if unexpected API call failures are discovered and the policy is temporarily disabled, will the call failures recur?

1 reply

hpsin Oct 21, 2024
Author

No, if you disable the policy it'll stop blocking API calls. So you can "brownout" or "scream test" long lived tokens here by setting the token, checking your streaming logs, and then deciding if you want to roll back.

hfhbd · 2024-10-22T07:05:00Z

hfhbd
Oct 22, 2024

We would like to disable the classic PATs for our org, but unfortunately we need read Packages (maven) support only.

Is there any option to limit a classic PAT for an org to allow only specific scopes and disable all other scopes?

1 reply

hpsin Oct 22, 2024
Author

Ah, no, I'm afraid not. The only option today would be to run a job that checks for tokens that don't match your allowlist and revoke their access to the organization, by removing their SSO credential authorization.

StanislavUhimenko · 2025-04-14T12:27:21Z

StanislavUhimenko
Apr 14, 2025

import memoize from '@github/memoize'
import {getEnv} from '@github-ui/client-env'
import {IS_SERVER} from '@github-ui/ssr-utils'

function getEnabledFeaturesSet(): Set {
const features = getEnv().featureFlags
const featuresUpperCase = features.map(feature => feature.toLowerCase())
return new Set(featuresUpperCase)
}

const featuresSet =
IS_SERVER || process.env.NODE_ENV === 'test' || isStorybook() ? getEnabledFeaturesSet : memoize(getEnabledFeaturesSet)

export function getEnabledFeatures(): string[] {
return Array.from(featuresSet())
}

export function isFeatureEnabled(name: string): boolean {
return featuresSet().has(name.toLowerCase())
}

//exported to allow mocking in tests
const featureFlag = {isFeatureEnabled}

export {featureFlag}

function isStorybook() {
try {
return process?.env?.STORYBOOK === 'true'
} catch {
return false
}
}

0 replies

[Request for Feedback] Expiration policies and lifetime changes for PATs #141929

Uh oh!

Uh oh!

Known issues

Replies: 4 comments · 6 replies

Uh oh!

Uh oh!

Uh oh!

hpsin Oct 19, 2024 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

hpsin Oct 21, 2024 Author

Uh oh!

Uh oh!

hpsin Oct 22, 2024 Author

Uh oh!

Replies: 4 comments 6 replies

hpsin Oct 19, 2024
Author

hpsin Oct 21, 2024
Author

hpsin Oct 22, 2024
Author