Rotation of GitHub Deploy Keys

When a Github repo is added to CircleCI its my understanding that CircleCI adds a deploy key to GitHub. This key gives read only access to the repo.

If a user decides to run a job via “Rerun job with SSH”, they can access that key as its accessible to them in the .ssh folder.

I’m concerned that when a user leaves the org that they can take with them a copy of the deploy key and retain read access to the repo.

Is there any mechanism to rotate the deploy keys when someone leaves my org ?

3 Likes

I’m also interested in rotating deploy keys! It looks like you can setup a script to rotate them via these APIs? https://circleci.com/docs/api/#keys