Using GitHub Apps to Replace Service Account for Team Shared Connection
Problem Statement / Current Situation:
For enterprise security compliance, organizations are moving to a model where all third-party integrations must use pure application-based identities (like GitHub Apps) instead of user-based accounts.
Currently, Gearset's CI/CD jobs require a "Team Shared Connection," (https://docs.gearset.com/en/articles/8455568-team-shared-source-control-connections) which uses a combination of a GitHub App for authorization and a separate GitHub "service account" user for commit attribution. While this is a functional workaround, it still forces us to create, manage, and secure a user entity in GitHub. This goes against modern security principles that aim to eliminate the management of all user credentials, even for service accounts.
Proposed Solution:
We propose that Gearset enhance its GitHub integration to allow a GitHub App to be used as a complete, standalone identity for CI/CD operations.
This would mean that when a CI job runs a merge, the author of the merge commit would be the GitHub App itself, not a separate service account user. This is an emerging best practice in the industry, as a GitHub App can have its own identity and be an actor within the system. As security expert Josh-ops notes in his detailed article on the subject, this provides a more secure and streamlined approach by "moving the identity from a user to the application itself."
Douglas Liu
shared this idea
-
Douglas Liu
commented
Why This Is Important / Benefits:
1. Enhanced Security: This eliminates an entire class of credentials (the service account's PAT) that needs to be managed, rotated, and secured. Authentication would rely solely on the GitHub App's secure, short-lived tokens.
2. Simplified Administration: It removes the operational overhead of creating, managing permissions for, and eventually off-boarding a separate user account in GitHub just for the CI/CD process.
3. Clearer Attribution: A commit authored by Gearset App [ID: 123456] is a more precise and unambiguous audit trail than one authored by a generic svc-gearset user. It points directly to the application that performed the action.
4. Future-Proofs Gearset's Architecture: Adopting this "application-first" identity model aligns Gearset with the direction modern enterprise security is heading. It would be a strong selling point for security-conscious customers.
Here is an article related to this: https://josh-ops.com/posts/github-apps/#google_vignette