GitHub fine-grained PATs for CDK Pipelines

GitHub fine-grained personal access tokens (PATs) may only be available in beta, but the pros outweigh the cons for reducing the risk from the classic PATs blast radius.

CDK Pipelines requires the token must be stored in an AWS Secret Manager (ASM) secret called github-token.

Instead of having access to all repositories, the token can be scoped to a specific code base.

Initial CDK Pipeline setup only requires Metadata and Webhook permissions.

While the user interface (UI) says the token can live forever, it must be configured to expire in one year.

When adding permissions, the UI has inconsistent names for deploying additional resources, where these are my starting point. I may be able to reduce these more in the future.

Read Only

• Metadata

Read & Write

• Commit statuses
• Contents
• Pull requests
• Webhooks