Discontinuation of SSH keys for GitHub repositories January 15, 2024
For increased security, Codacy is discontinuing the usage of repository SSH keys for Git operations on GitHub in favor of installation access tokens.
This change translates into important security improvements:
- It limits the access level of the Codacy GitHub App, as it no longer requires read and write repository permissions for Administration.
- Contrary to long-living SSH keys, installation access tokens expire after one hour and Codacy loses access when the GitHub App is uninstalled.
To minimize any impact, Codacy is currently discontinuing the usage of repository SSH keys but will keep using them as a fallback mechanism at this first stage. At a later stage, Codacy will stop using repository SSH keys and delete the keys stored in our systems.
Changes on the Codacy GitHub App required permissions
To use installation access tokens, the Codacy GitHub App now requires repository read permissions for Contents.
On the other hand, the usage of installation access tokens no longer requires read and write repository permissions for Administration. The Codacy GitHub App still requests this permission during this first stage, while using repository SSH keys as a fallback mechanism. At a later stage, Codacy will remove the permission from the GitHub App.
What do you need to do if you have a GitHub organization?
Make sure an organization owner approves the updated permissions for the Codacy GitHub App on your GitHub organization, if not done yet.
Codacy has been requesting repository read permissions for Contents since September 2023. Organization owners should have received a GitHub notification to review a request for this additional permission:
If you have any questions or need help, please contact support@codacy.com.
Removal of repository permissions for Administration and SSH keys
To ensure the conditions to use installation access tokens on GitHub organizations are met before the removal of repository permissions for Administration and SSH keys, Codacy will execute a phased rollout according to the timeline below:
| Date | Event | What to expect |
|---|---|---|
| January 15, 2024 | Codacy started using installation access tokens to clone and integrate with your repositories | From this day on, repository SSH keys are used exclusively as a fallback mechanism when the Contents permission is missing. If not done yet, make sure an organization owner approves Codacy GitHub App updated permissions on your GitHub organization. |
| February 12, 2024 | Brownout of repository permissions for Administration | On this day, Codacy won't use any fallback mechanism if the Contents permission is missing. This will help you confirm that the updated permissions for the Codacy GitHub App were already approved for your organization. |
| February 19, 2024 | Codacy will remove repository permissions for Administration from the Codacy GitHub App and stop using repository SSH keys | Codacy will start using installation access tokens to clone and integrate with your repositories, with no fallback mechanisms. Also, repository permissions for Administration will be removed from the Codacy GitHub App. If on this day the Codacy GitHub App updated permissions haven't been approved on your GitHub organization yet, your Codacy quality analysis will fail and you'll not be able to add new repositories to Codacy until an organization owner approves the updated permissions. |
| To define | Codacy will no longer store repository SSH keys | On this day, Codacy will delete all the repository SSH keys stored in our systems. For increased security, you can revoke the keys created by Codacy on your GitHub repository. |