Ephemeral GitHub Tokens via HashiCorp Vault
I have found that performing automation against GitHub APIs often necessitates the creation of OAuth Tokens (nb. GitHub refers to these as Personal Access Tokens or PATs). These tokens are tied to a user account, have very coarsely-scoped permissions and do not expire.
The more automation-savvy users in an organisation will likely have created many such tokens with powerful permissions which are being neither rotated nor deleted.
The organisation will also commonly have wasted at least one of their GitHub seats on a robot/machine user for CI/CD purposes. These users share similar access token and SSH key fates as the human users do but additionally need their credentials managed and rotated on their behalf (a feat that is arguably made even more awkward when federating GitHub access through an third party IdP).
However, and this is the tricky part, GitHub Apps require the management of at least one private key used to mint the JWTs used for the App installation authentication token request flow.
