I am working on a commercial desktop app built using Electron, and our codebase is on a GitHub private repo. We are trying to enable devs to publish the binaries to GitHub releases, and using electron-updater to auto update.
From googling around and experimenting, I got this to work but I needed to expose a GH token that has read:packages, repo, write:packages permissions. Due to the way electron-builder and electron-updater works, this token is exposed in plaintext in a .yml file once installed.
My question is what are the security repercussions for exposing this token? The worst I can think of is having a malicious user push false updates which doesn't seem that bad as they can only push draft releases from what I understand.
A token with repo scope has full read and write access to your repository and can be used to fetch from and push to your repository with the full privileges of the user for whom it's issued. So if you give that token to others, they can operate on the repository as you. Such a token also grants numerous other API permissions as well.
It would be better in general to build your releases in a CI system and create and upload the releases via a token that's stored safely in your CI system's secret store. You definitely do not want to allow anyone other than you or a trusted system to access your GitHub tokens.