My company has dozens of application repos in with GitHub action pipelines push changes to other GitOps repos. I.e. Repo A1 pushes to repo A2, B1 > B2, C1 > C3, etc. What are the best practices for allowing application repos write access?
We are thinking of either
a) Use deploy keys. Each GitOps repo gets a unique key and then we add it as a secret to a corresponding app repo.
b) Create a GitHub application and install it into every GitOps repo. And then add its private key to all application repos as a secret. This creates a problem with the key being exposed to many repositories though. As a workaround, we can create a microservice to dynamically generate GitHub installation tokens and never expose the key itself.