Skip to content

GitHub personal access tokens

Registry of all GitHub personal access tokens (PATs) used across HCS projects. Token values are stored in kv-hcs-vault-01 only — never here.


Strategy

HCS uses a single classic PAT (hcs-github-org-pat) that covers all HCS GitHub orgs. This PAT is:

  • Stored in kv-hcs-vault-01 as secret hcs-github-org-pat
  • Loaded into the local session via scripts/Load-HCSEnvironment.ps1 as $env:GITHUB_TOKEN
  • Wired through gh auth login --with-token and gh auth setup-git so the GitHub CLI and git both use it transparently

New PATs must be registered here before use. One PAT per purpose — do not reuse hcs-github-org-pat for automation that should have its own identity.


hcs-github-org-pat — full details

Field Value
PAT name hcs-github-org-pat
Type Classic PAT
Owner kris@hybridsolutions.cloud
KV secret name hcs-github-org-pat
Local env var GITHUB_TOKEN
Orgs covered All HCS GitHub orgs
Rotation schedule 90 days
Last rotated 2026-05-08

Scopes

Scope Reason
repo (full) Read and write all repos
workflow Update GitHub Actions workflows
read:org Read org membership
admin:org (read) Read org settings
packages:read Read GitHub Packages

Rotating hcs-github-org-pat

  1. Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
  2. Regenerate hcs-github-org-pat (same name, same scopes)
  3. Update the secret in Key Vault:
    az keyvault secret set `
        --vault-name kv-hcs-vault-01 `
        --name hcs-github-org-pat `
        --value '<new-token-value>'
    
  4. Re-wire the GitHub CLI:
    $env:GITHUB_TOKEN = az keyvault secret show `
        --vault-name kv-hcs-vault-01 `
        --name hcs-github-org-pat `
        --query value -o tsv
    $env:GITHUB_TOKEN | gh auth login --with-token
    gh auth setup-git
    
  5. Update Last rotated in the registry table below and in secret-inventory.md.
  6. Commit: docs(identity): rotate hcs-github-org-pat

Registry

PAT name KV secret name Purpose Orgs/repos Scopes Rotation schedule Last rotated Notes
hcs-github-org-pat hcs-github-org-pat Primary GitHub PAT for all HCS org operations and local tooling All HCS orgs repo, workflow, read:org, packages:read 90 days 2026-05-08 Classic PAT. Loaded as GITHUB_TOKEN.

Adding a new PAT

  1. Generate the new PAT on GitHub with only the scopes it needs (principle of least privilege)
  2. Store it in kv-hcs-vault-01 with a descriptive name following the kebab-case convention
  3. Add it to the registry table above
  4. Add it to secret-inventory.md
  5. If pipelines need it, add it to the appropriate Variable Group in ado-variable-groups.md
  6. Commit: docs(identity): register PAT <pat-name>