Skip to main content

Creating a Git Service Account

When you run automated processes (such as CI/CD pipelines, deployments triggered by Job Schedule, or GitHub Actions), using a developer's personal account is risky. If that person leaves, tokens expire, or permissions change, your automation breaks.

With Coalesce, creating a dedicated version control account tied to automated functions is best practice. This approach gives you:

  • Stability: Automation isn't tied to any individual employee.
  • Auditability: Commits from automation are clearly attributed to a dedicated account.
  • Security: You can scope tokens and permissions to only what automation needs.

When to Use a Dedicated Git Account

Use a dedicated Git account for automation when:

  • GitHub Actions or CI/CD runs deployments or refreshes. Store your Coalesce API token and other secrets in GitHub; Coalesce uses the Git account configured for that Project to perform deployments. See Orchestrate Jobs With GitHub Actions and the API or Orchestrate Deploys With GitHub Actions and the CLI for workflow setup.
  • Job Schedule triggers deployments or commits. Select the automation account as the default Git account when creating the Project.
  • CLI or API triggers deployments. The deployment uses the Git account associated with the Project and Environment.
  • Shared Workspaces used by automation need consistent Git credentials.

For interactive development, developers can continue using their personal Git accounts in Coalesce. This guide focuses on the account used for automation.

Before You Begin

Complete the following before you begin:

  • Review Coalesce Git Requirements before starting.
  • Ensure you have admin access to your GitHub organization or repository.
  • Have a Project in Coalesce with version control configured, or plan to add it during setup.

Create a Dedicated GitHub Account for Automation

Detailed Setup

Review Step: 1 Setup Version Control for detailed steps and videos.

You can create a dedicated account for automation. Many organizations use a pattern such as:

  • coalesce-bot@yourcompany.com
  • coalesce-automation@yourcompany.com
  • data-platform-ci@yourcompany.com

When setting up the account:

  • Use a distribution list or shared mailbox so the account isn't tied to a single person.
  • Add the account as a collaborator with the appropriate permissions (for example, Write access for the repository).

Step 1: Generate a Fine-Grained Access Token

Generate a fine-grained token in GitHub with these steps:

  1. Click on your GitHub profile and go to Settings > Developer Settings.

  2. Click Personal access tokens > Fine-grained tokens.

    The image shows a GitHub interface for creating a new fine-grained personal access token. The form includes fields for token name, description, resource owner (set to GitHub user), expiration period (30 days), repository access options (with All repositories selected), and permission settings with repository and account permissions sections visible at the bottom.
  3. Give the token a name and description.

  4. Set the following based on your company policy.

    1. Resource owner
    2. Expiration date
    3. Repository access should be either All repositories or Only select repositories.
  5. Open Permissions > Repository permissions.

  6. Set Contents to Read and write. GitHub will also automatically grant Metadata, which is required.

    The image shows a section of GitHub permissions settings with three permission categories. The "Contents" category is highlighted with a red rectangle and is marked as "Selected" with "Read and write" access enabled. This section controls permissions for repository contents including commits, branches, downloads, releases, and merges. Above it is "Commit statuses" and below are "Custom properties" and "Dependabot alerts" categories, both showing "No access" permission levels.
  7. Save your access token somewhere secure. You won't be able to recover it.

Token Permissions

For Coalesce, the token needs Contents: Read and write. This allows the account to push commits, pull changes, and manage branches. No other repository permissions are required.

Step 2: Add the Account to Coalesce

Add the automation account to your Project in Coalesce:

  1. Go to the Project page. If you are on the Build page , click the back arrow.

  2. Click the plus sign(+) next to Projects.

    Projects interface showing 'Default Project' with two workspaces: Development (branch: main) and Docs Testing (branch: understanding_commits). Each workspace has Launch button and settings icons. Top navigation includes Project Settings and Create Workspace options.
  3. Enter the Project name and description. Click Next.

    Project creation form (Step 1 of 3) showing required Name field with validation error and optional Description field. Navigation buttons for Previous and Next steps shown at bottom.
  4. Enter your Version control repository URL.

    Version control setup page (Step 2 of 3) for Coalesce project creation. Shows required Git repository URL input field with explanation that repository will be shared across workspaces and users. Includes 'Skip and Create' option and Previous/Next navigation buttons.
  5. On the next page, Click Add New Account.

    1. Enter an account nickname. This will displayed in the interface.
    2. Enter your username. If you are using Bitbucket AND generated a repo access token, set x-token-auth as the username.
    3. Enter your token. This will be either the GitLab token, Git token, Azure token, or Bitbucket Token
    4. Enter the Author Name, which identifies the committer. This doesn't have to match your version control account.
    5. Enter the Author Email, which identifies the committer email. This doesn't have to match your version control account.
    6. Click Add.
    A form interface for adding a version control account with empty input fields. The form includes required fields for Account Nickname, Username, Token, Name, and Email, with explanatory text beneath each field and Cancel and Add Account buttons at the bottom.
  6. Select the Git account you just created in the drop down, then click Test Account.

    Git account configuration page (Step 3 of 3) showing repository URL, Git account dropdown set to 'Coalesce Docs', and options to add new account or test existing account. Includes Previous and Finish buttons.
  7. Then click Finish to create your Project.

Existing Projects

If your Project already has version control configured, you can add a new Git account from User Menu > User Settings > Git Accounts. Click Add and fill in the same fields. Then select the new account when configuring the Project or Workspace used by automation.

Coalesce Service Accounts vs. Git Accounts

Coalesce has its own service accounts for running deployments, refreshes, and scheduled jobs in the Coalesce app. Those are separate from Git accounts:

  • Coalesce service accounts: Log into Coalesce and perform deployments, refreshes, and other operations. They are created in Org Settings > Users and use key pair or machine-to-machine authentication. See Service Accounts in Coalesce and Adding Users and Setting Permissions.
  • Git accounts: Authenticate with your Git provider (GitHub, GitLab, Bitbucket, Azure DevOps) when Coalesce commits or pushes code. They are created in User Settings > Git Accounts or during Project setup.

For a fully automated pipeline, you typically need both:

  1. A Coalesce service account with Environment Admin (or equivalent) to deploy and refresh.
  2. A Git account tied to a dedicated GitHub (or other provider) account for version control operations.

Best Practices

Follow these practices when managing automation accounts:

  • Use a dedicated account: Don't use a developer's personal GitHub account for automation.
  • Use distribution emails: Tie the automation account to a shared mailbox (for example, coalesce-bot@yourcompany.com) so it isn't tied to one person.
  • Scope tokens narrowly: Use fine-grained tokens with access only to the repositories Coalesce needs.
  • Rotate tokens periodically: Set an expiration and rotate tokens before they expire. Update the token in Coalesce when you rotate.
  • Document the account: Record who manages the account and where tokens are stored so your team can maintain it.

What's Next