HF Write Token Policy¶
OpenMed model publication uses a dedicated HF_WRITE_TOKEN secret for CI runs that write converted artifacts to the OpenMed organization. This token is separate from runtime read tokens and package publishing credentials.
Scope¶
- Create a fine-grained token with org-write access limited to the OpenMed organization.
- Do not grant admin, billing, or account-management permissions.
- Do not reuse a personal development token, read token, or package publishing token.
- Treat exposure as org-wide write access to OpenMed model repositories.
Storage¶
- Store the value as the
HF_WRITE_TOKENsecret in thehf-publishGitHub Actions protected environment. - Keep the secret out of repository-level Actions secrets unless a workflow cannot be environment-bound.
- Require environment protection before jobs can read the secret.
- Only repository administrators who can manage environment secrets may replace or delete it. The saved value cannot be read back after it is stored.
CI Use¶
The convert-models.yml workflow exposes the secret only to the protected publish-hf job. The publish guard uses a step-level environment binding:
environment:
name: hf-publish
steps:
- name: Require HF write token before publish
env:
HF_WRITE_TOKEN: ${{ secrets.HF_WRITE_TOKEN }}
The publish job must check that HF_WRITE_TOKEN is set before running any upload command. Logs may mention the secret name but must never print the value.
Rotation¶
- Rotate the token every 90 days, or immediately after maintainer turnover, suspicious workflow activity, or accidental disclosure.
- Create the replacement token first, update the
hf-publishenvironment secret, then run a manual publish credential check before deleting the old token. - Record the rotation date and operator in the release notes or private operations log without copying the token value.
Revocation And Blast Radius¶
If HF_WRITE_TOKEN is exposed:
- Revoke the token from the token provider immediately.
- Delete or replace the
hf-publishenvironment secret. - Disable queued or running publish workflows until the replacement secret is in place.
- Audit model repositories in the OpenMed organization for unexpected commits, files, tags, or metadata changes.
- Re-run the last known-good publish workflow after the audit if any artifact needs restoration.
The blast radius is org-wide write access to OpenMed model repositories. The token must not have package publishing, repository administration, billing, or account ownership permissions.