GitHub personal access tokens¶
Registry of all GitHub personal access tokens (PATs) used across HCS projects. Token values are stored in kv-hcs-vault-01 only — never here.
Strategy¶
HCS uses a single classic PAT (hcs-github-org-pat) that covers all HCS GitHub orgs. This PAT is:
- Stored in
kv-hcs-vault-01as secrethcs-github-org-pat - Loaded into the local session via
scripts/Load-HCSEnvironment.ps1as$env:GITHUB_TOKEN - Wired through
gh auth login --with-tokenandgh auth setup-gitso the GitHub CLI and git both use it transparently
New PATs must be registered here before use. One PAT per purpose — do not reuse hcs-github-org-pat for automation that should have its own identity.
hcs-github-org-pat — full details¶
| Field | Value |
|---|---|
| PAT name | hcs-github-org-pat |
| Type | Classic PAT |
| Owner | kris@hybridsolutions.cloud |
| KV secret name | hcs-github-org-pat |
| Local env var | GITHUB_TOKEN |
| Orgs covered | All HCS GitHub orgs |
| Rotation schedule | 90 days |
| Last rotated | 2026-05-08 |
Scopes¶
| Scope | Reason |
|---|---|
repo (full) |
Read and write all repos |
workflow |
Update GitHub Actions workflows |
read:org |
Read org membership |
admin:org (read) |
Read org settings |
packages:read |
Read GitHub Packages |
Rotating hcs-github-org-pat¶
- Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
- Regenerate
hcs-github-org-pat(same name, same scopes) - Update the secret in Key Vault:
- Re-wire the GitHub CLI:
- Update Last rotated in the registry table below and in secret-inventory.md.
- Commit:
docs(identity): rotate hcs-github-org-pat
Registry¶
| PAT name | KV secret name | Purpose | Orgs/repos | Scopes | Rotation schedule | Last rotated | Notes |
|---|---|---|---|---|---|---|---|
| hcs-github-org-pat | hcs-github-org-pat | Primary GitHub PAT for all HCS org operations and local tooling | All HCS orgs | repo, workflow, read:org, packages:read | 90 days | 2026-05-08 | Classic PAT. Loaded as GITHUB_TOKEN. |
Adding a new PAT¶
- Generate the new PAT on GitHub with only the scopes it needs (principle of least privilege)
- Store it in
kv-hcs-vault-01with a descriptive name following the kebab-case convention - Add it to the registry table above
- Add it to secret-inventory.md
- If pipelines need it, add it to the appropriate Variable Group in ado-variable-groups.md
- Commit:
docs(identity): register PAT <pat-name>