'Using Github token in my app to auto update? Is it safe

Hello im using my GitHub token to update my app from a private repository. It works fine im just wondering is it safe especially if I want to have other people download the app will my source code be safe from bad actors who might try to pull my source code from GitHub. Im using electron auto updater



Solution 1:[1]

If you are embedding your GitHub token into a binary that you distribute, then no, that is not secure. Anyone who gets access to the app can extract your token and access data with whatever permissions your token has, which is probably every repository you have access to.

If your repository is private, there is probably not a secure way to get code from it to auto update. You would be better off distributing software using signed tarballs (and a signed manifest) over HTTPS, with the key baked into your code. Alternatively, if you're running on Linux, you could provide packages for the appropriate package manager, which would also be secure.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 bk2204