There's no shortage of options for interacting with GitHub. This is a summary to help keep you secure when connecting all the things. I assume you've already got 2FA enabled, if not, do that first!
SSH Keys
SSH keys are cryptographic keys that can act on behalf of your account. They don't respect 2FA so be careful with them. The only exception to their reach is SSO-enabled organisations which may require keys to be individually authorised before accessing org resources.
SSH keys can also be used to sign your commits. This allows others to cryptographically verify that you were the individual who made a given commit.
Since SSH keys can act as your cryptographically verifiable identity and access resources on your behalf, you'll want to protect them as best you can.
You can protect SSH keys by adding a passphrase when generated. Alternatively, you can use a third-party SSH agent, like 1Password's SSH Agent to securely store and access your keys.
Personal Access Token (PAT)
Similarly to SSH keys, Personal Access Tokens are authorised to act on your behalf (without 2FA). They're often used programmatically and offer an additional layer of control, letting you define the scope of access for each token. There are two types of PAT, Classic and Fine-grained.
Treat PATs like you would any other secret. Keep them out of plain text files and avoid committing them to repositories.
Classic Tokens
Classic tokens allow you to filter by action but not resource. This means a token can apply its permission set against any resource to which your account has access. Note: SSO organisations may require authorising keys before access to resources is permitted.
Fine-grained Tokens
Fine-grained tokens are an evolution of the classic token. They acknowledge and correct the inability to scope permissions by resource. In the screenshot below you can see we're able to filter by actions but also repository access.
Applications
As of writing, there are three methods by which applications can interact with GitHub on your behalf:
- Installed GitHub Apps
- Authorised GitHub Apps
- Authorized OAuth Apps
As you try various tools and products you may find that you accumulate quite a number of apps. Taking a moment to review and remove any unused apps is worthwhile.
Installed GitHub Apps
Installed GitHub Apps are those which you've installed directly to your GitHub account, a Github Org or a repository. This provides a Github application access to the resources you define based on the permission set it requests. The application can then interact with the resources directly.
Authorised GitHub Apps
Authorised GitHub Apps are Github Apps that you've approved to act on your behalf. They can do so when all of the following conditions are true:
- The GitHub App must be installed on the appropriate organisation or repository.
- Your GitHub account has access to the resources.
- The GitHub App requested the right permissions.
Authorised OAuth Apps
Authorised OAuth Apps are OAuth Apps that you've approved to act on your behalf. They can access any resource on behalf of your account except for organisations requiring prior admin approval.