A few weeks ago we announced our plans to switch from OAuth tokens to Deploy Keys or Access Keys for greater security. Our goal is to prevent OAuth tokens from ever touching a Tugboat service. We are deploying this change on Friday, May 18, 2018.
The short version
We will be creating a new Deploy Key (GitHub and GitLab) or Access Key (Bitbucket) for each git repository that you have registered with Tugboat. You may receive a notice from your git provider about this, depending on your notification settings with that provider. That’s it. We’ll handle the rest.
The longer version
GitHub, GitLab, and Bitbucket all support the use of a dedicated SSH key pair to access a git repository. GitHub and GitLab call this a Deploy Key, Bitbucket calls it an Access Key, but they serve the same purpose. We call them deploy keys (sorry Bitbucket, it was 2-to-1).
During the maintenance window on Friday evening, we will be generating a unique deploy key for each of the repositories registered with Tugboat. You may receive a notice from your git provider about this, depending on your notification settings with that provider.
From then on, Tugboat will use a repository’s deploy key for all of its git operations. This key will only be present on a Tugboat service while we are performing the git operations necessary to fetch and/or merge the appropriate code from your git repository. The deploy key is then overwritten by the repository’s normal SSH key before calling your build script. The key available to your build script can be managed in the Tugboat repository settings. The deploy key is managed by us.
Any given deploy key is only able to access the git repository it is associated with, unlike OAuth tokens which can access any git repository that the owner of the token has access to. This means that Tugboat now has much tighter control over what each of the build scripts it runs has access to.
We do not expect this change to be disruptive. But, we do expect that your git providers will probably be sending notifications about the new keys from Tugboat, so we wanted to be sure you were expecting that.