Fine-grain PAT guidance and setup reference

[rdn-github]

Select Topic Area

Question

Body

I have set up a private repository on my GitHub account, with HTTPS authentication setting. My intended workflow is to make changes in a local Git repository on my laptop, pushing them to that remote private repository.

My understanding of the authentication doc (About authentication to GitHub) is that for HTTPS protocol and Git command line it is required to use PAT for authentication.
According to another doc (Managing your personal access tokens), GitHub recommends that fine-grained PAT should be used rather than classic PAT.

Upon reviewing respective feature sets of both PAT types, I actually have the same preference, as fine-grain PATs clearly appear to offer better security and flexibility.
However, the issue is that when I started to set up a fine-grain PAT, I got lost in the myriad of settings, for the majority of which I could not understand the objective and relevance to my specific case. Intuitively, I realize that most of them are irrelevant for my simple use case and should be just left alone, but that does not give me a lot of confidence that my settings would be correct and safe to use.

I would appreciate a perspective or guidance in response to the description of my use case above, in fact, any relevant perspective on this topic. Possibly, someone could point me to a guide or a doc reference where fine-grain PAT settings are explained, and possibly a quick start guide for a typical use case like mine is provided.

Thank you

[seyLu]

Hi @rdn-github,

If you have your own personal machine, it is better to use git with ssh instead of PAT. Why? Because an active ssh don't automatically expire, and tokens do.

Tokens are better used alongside with giving either bots/automated workflows/third-party apps limited permissions on a limited time. Like for example, you are using a website hosting service like vercel and you want to allow it limited permission to read your repo in github such that it can build and deploy your site to their platform, but not allow it to have admin access that it can delete your repo.

You can read more at Github official docs:

• About Remote Repositories
• About Authentication to Github
• About SSH
• About Access Tokens

[rdn-github]

Thank you seyLu
Your point makes sense. I will most likely switch my local machine Git to SSH as you suggest. I do envision providing access to selected third-parties, then PATs with fixed expiration dates probable make more sense. My current selections are based on GitHub recommendations, hence my HTTPS and PAT selection.
Thank you for providing links as well. I have read most of the information there. I was looking for some kind of guide navigating through dozens of permission settings for fine-grain PAT. Most of them appear irrelevant to my case.