Hexo Deployment on GitHub Using GitHub Fine-Grained Tokens

Introduction

I used to deploy the Hexo website on GitHub pages using hexo-deployer-git and GitHub classic tokens. But I found it in-secure as GitHub classic tokens enable all the read and write accesses to all the user’s repositories and the user could not afford leaking it.

A few months ago, I found that GitHub is providing fine-grained tokens so that the read and write permissions can be restricted with very fine granularity. However, I was not able to switch to using GitHub fine-grained tokens for Hexo website deployment on GitHub pages until recently because the hexo-deployer-git README was a little bit confusing and I doubted if it could support GitHub fine-grained tokens because it’s last commit was even before GitHub fine-grained tokens were born.

In this blog post, I would like to share the recipe for Hexo deployment on GitHub pages using GitHub fine-grained tokens.

Hexo Deployment on GitHub Pages

Hexo Deployment on GitHub Pages Using Classic Tokens

I used to set the hexo-deployer-git configurations as follows in the Hexo _config.yml file and deploy the Hexo website using GitHub classic tokens.

deploy:
  - type: git
    # GitHub Classic Tokens
    repo: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@github.com/leimao/leimao.github.io
    branch: master
    message: "Hexo & Icarus Deployment Updated: {{ now('YYYY-MM-DD HH:mm:ss') }}"
    ignore_hidden: false

However, if I replaced the GitHub classic tokens with GitHub fine-grained tokens, the deployment will not work without asking me the username and password, which is insecure and has been deprecated by GitHub.

Hexo Deployment on GitHub Pages Using Fine-Grained Tokens

To generate a GitHub fine-grained token for Hexo deployment, we will only need to give permissions to the GitHub pages repository. In my case, it is the leimao/leimao.github.io repository.

We will also need to select the read and write permissions for Actions, Contents, Deployments, Pages, Workflows, and the read permission for Metadata. These permission might not be all necessary for Hexo deployment. But at least I found them working.

The hexo-deployer-git configurations need to be configured as follows in the Hexo _config.yml file.

deploy:
  - type: git
    repo: git@github.com:leimao/leimao.github.io.git
    branch: master
    # GitHub Fine-Grained Tokens
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    message: "Hexo & Icarus Deployment Updated: {{ now('YYYY-MM-DD HH:mm:ss') }}"
    ignore_hidden: false

The repo URL must be the git SSH URL. Otherwise, it will go through the HTTPS URL and ask the user for username and password, which is insecure and has been deprecated by GitHub.

References

• hexo-deployer-git
• Hexo Blog URL Submission to Baidu