From 6922a620b2871032f5fea06cac2458e55c83ab1e Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Fri, 6 Dec 2024 14:18:56 -0500
Subject: [PATCH] PAT vs App - Update compiled-languages-go.md

---
 .../codeql-builds/compiled-languages-go.md          | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/troubleshooting/codeql-builds/compiled-languages-go.md b/troubleshooting/codeql-builds/compiled-languages-go.md
index 09c8f71..928880d 100644
--- a/troubleshooting/codeql-builds/compiled-languages-go.md
+++ b/troubleshooting/codeql-builds/compiled-languages-go.md
@@ -7,7 +7,7 @@ There are two options when it comes to private repositories:
 - Set-up the Go environment within the Actions workflow (not vendoring then)
 - Vendor the dependencies
 
-Setting up the Go environment can be done by adding a Actions step to update the [Go settings](https://go.dev/ref/mod#private-modules) pointing them to use a [GitHub Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with the corresponding access to the private repository.
+Setting up the Go environment can be done by adding a Actions step to update the [Go settings](https://go.dev/ref/mod#private-modules) pointing them to use an access token (ex:  [GitHub Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)) with the corresponding access to the private repository.
 The example below shows how this can be done using a single step before the CodeQL Initize step - storing the GitHub PAT in an Actions Secret.
 
 **Example:**
@@ -38,3 +38,14 @@ Alternatively, pass the token into the CodeQL init action to allow it to be used
   with:
   external-repository-token: ${{ secrets.GOLANG_GITHUB_TOKEN }}
 ```
+
+
+The auto generated GITHUB_TOKEN is strictly scoped to the repository for security reasons.
+
+To interact with higher level resources(other repositories, use GitHub Apps with shortlived tokens instead of Personal Acces Tokens. The GitHub action for it here https://github.com/actions/create-github-app-token described in the docs here https://github.com/actions/create-github-app-token
+
+
+This is better than a PAT for a few reasons:
+- The tokens are short lived.
+- The token can be scoped to specific places in the workflow at time of creation.
+- It isn’t associated to a user, it is associated to an app.