Skip to content

Add suggested method of configuring remotes with least privilege to docs #532

New issue
New issue
Open
Open
Add suggested method of configuring remotes with least privilege to docs#532
@noahkiss

Description

@noahkiss
noahkiss
opened on May 14, 2025

This issue is about

  • Man pages or command-line usage
  • Website documentation
  • Packaging
  • Other

Describe the issue

yadm is one of those rare tools where users may want to sync work & personal information together.

I think it's fair to say that most of us are blasé about fine-grained permissions on our main computers (or maybe connect to remotes without using tokens at all, or opaquely).

Because of this, it can take a few minutes to google and figure out the right permissions model to create a narrowly scoped fine-grained token to add to our work computer (or any other device which is multi-user or low-trust).

It would be great if yadm would include simple guidelines on how to scope a token for the major providers, and maybe also a little code block for how to properly use it on the other computer. This could either live in the "Getting Started" or "FAQ", or maybe somewhere else.

For example, in the FAQ, maybe a little section like this:

Adding Remotes

A common use of yadm is to sync your configuration between personal and work devices. Here is a starting point for allowing repository access to your dotfiles repo on your work device, allowing git push and pull while limiting exposure.

GitHub

To access your dotfiles repository in a personal GitHub account, create a Fine-Grained Personal Access Token (link). Choose a token expiration which you are comfortable with, and limit the token to your dotfiles repo. Under "Repository Permissions", give the token "Read and write" access to the "Contents" section. This will automatically assign "Read-only" permissions to the "Metadata" section as well. The token is now ready for generation and use.

To use the token, add your remote repository to yadm:

yadm remote add origin https://github.com/_username_/dotfiles.git
yadm pull
yadm checkout main  # the branch you're using
yadm push --dry-run

If you received a 403 error when running yadm push --dry-run, we'll need to configure the correct GitHub account for yadm (this will likely happen if you use GitHub at work).
Navigate to the yadm repository to update your GitHub username for the repo:

cd $HOME/.local/share/yadm/repo.git/
git config set credential.username "_personal_username_"
# you could use your work email or a custom name
# here to track which device commits came from
git config set user.email "_personal_email_"
git config set user.name "_name_"

Return to your previous directory and continue to configure your token:

cd -
yadm push --dry-run
# git should ask for your password now.
# use the token you generated as your password.

That's it! You can now push to your personal dotfiles repository with yadm.

(apologies if I'm just missing the location/repo of the documentation to report an issue / open a PR directly)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions