I had a contract do some work for me, they pushed some code to my GitHub which uses GitHub Actions to deploy to my fly server. What is odd, is that even if that individual does not do a push to my repo, it automatically pulls his information and says on Fly’s dashboard that he did a release?
I’ts likely their GitHub token is being used to deploy this app and if the deployment is still working that means they have access to that repo.
If you want the deployment to be tagged as your’s use fly tokens to generate an app-deployment/organization token and put in your repo secrets.
If you don’t want that contractor to still have access to your app: remove them from your organization after you change the deployment token to be yours.
Thanks @lubien - they’ve been removed from the GitHub project for some time. Would that mean that their GitHub token is being used for the Fly instance?
I see now! You might want to check your offboarding checklist to see whats left to completely remove them from your org. Go to your dashboard and click on “Offboarding” on the left. The URL is roughly:
Yes! We recommend app deploy tokens because they’re very scoped so if GitHub ever leaks those (who knows) its less scary but an org token or even your user token should both do
It was determined that the individual still had a token active, this token was what was used on the GitHub Action Secret which lead to the UI behavior. After removing their token, replacing with an organization token it now reflects accordingly.