Is the Enterprise Cloud PAT experience normally this frustrating?

[kaihendry]

Select Topic Area

Question

Body

Sorry I initially asked on https://www.reddit.com/r/github/comments/1ne5gkz/is_the_enterprise_cloud_pat_experience_normally/

I'm a contractor working on an Github Enterprise Cloud instance and I'm running into a very frustrating experience.

Everytime I want to clone out another repo in the same Org, i.e. in a action with actions/checkout, I need to pass a token: ${{ secrets.PAT_GITHUB_TOKEN }}

Same experience when using Codespaces.

Surely this is a misconfiguration, since normally we can clone Internal Orgs repos, just not in Actions or Code spaces!

PAT = Tied to a personal account right?

[dorochadev]

Hi @kaihendry,

What you’re seeing is actually expected behaviour for GitHub Enterprise Cloud with Actions and Codespaces. A few points to clarify:

1. PATs are tied to personal accounts, yes. They’re needed when workflows or Codespaces need to authenticate on behalf of a user to access repos that aren’t public.

2. Actions and Codespaces don’t automatically inherit your user session the way the web UI or local git might. That’s why you need to explicitly pass a token (PAT_GITHUB_TOKEN) for internal repos, even within the same org.

3. Internal repos access: If your org has policies restricting repo access or requiring fine-grained tokens, you may have to create a PAT or use a GitHub App with the right permissions instead.

4. Best practice: Store your PAT as a secret in the repo or organization and reference it in workflows. That keeps things secure and avoids having to re-enter tokens constantly.

So, while it can feel frustrating, this is generally how Enterprise Cloud enforces secure access in automated environments.

[kaihendry]

What happens if the User account that the PAT that is tied to, is removed or disabled?

Surely this will result in the PAT being expired and create a major headache to sort out if the PAT is being copied to many Repos?

[kaihendry]

Furthermore gh doesn't work in Code spaces until I copy in a PAT manually. So much hoop jumping!

[YashSmithh]

Yes, many users report that the Enterprise Cloud PAT setup can feel cumbersome, especially with token scopes and expiration settings. It’s designed for strict security, which adds friction. Once configured correctly, though, it generally works reliably.

[kaihendry]

Can you define "configured correctly"?

For example developers end up copying up their ssh private key to code spaces just to work.

Sadly monorepos aren't common place.

[Moser-ss]

I can share my experience, I don't like to use PAT because that token is associated to a user, so it is a seat that I wasting for a bot account. I use GitHub App. The organization can create up to 100 GitHub apps and that apps can have fine grain permissions and installed in specific repositories. And it is possible to generate temporary tokens during the usage of the GitHub actions for that GitHub app

The other bonus thing is that you can have multiple organization members with the role of app manager and with that way you can create and edit GitHub happens without the need to share user account credentials