Follow us on Facebook Follow us on Twitter Connect with us on LinkedIn Check us out on YouTube Visit OpenBeagle View BeagleBoard GitHub Join the BeagleBoard Forum Join BeagleBoard on Discord Read BeagleBoard Blog

SaaS cares about control, not security: SSH Keys vs Personal Access Tokens

By

(This is an AI-assisted blog post, because I don’t want to spend more than a couple minutes writing down something GitHub and even GitLab are doing stupid. I cannot say exactly why they are doing it, but I can tell you it is obviously stupid.)

How GitLab broke a simple workflow (and Forgejo didn’t)

I’ve had GitLab → GitHub mirroring working for a long time using GitHub fine-grained Personal Access Tokens (PAT). It works—but it’s always felt clunky.

It basically gives me a username and a password that I paste into GitLab so it can push mirror code to GitHub.

What I actually wanted was simple:

keep my repos in sync both ways between my GitLab (openbeagle.org) and GitHub

The problem

GitLab used to support pull mirroring (syncing from GitHub into GitLab).

They removed it from the free (GitLab Community Edition) tier.

Now it’s behind a paid plan.

So I installed Forgejo

I installed Forgejo just to handle the missing piece: pull mirroring changes from GitHub and push mirroring to GitLab.

And it worked immediately.

Even better:

  • Forgejo generated an SSH keypair
  • Showed me the public key
  • I pasted it into GitLab as a deploy key
  • Done

No secrets shared. No confusion.

I never even saw the private key.

That’s exactly how it should work.

Why this is nice:

the public key is like using your fingerprint, you can give away an image of it without giving away your finger

Then I thought…

“Okay, maybe GitLab at least does this right for push mirroring.”

I saw the option:

SSH public key

I thought:

“Nice—same model as Forgejo.”

Nope.

Instead:

  • No visible key
  • Confusing UI
  • No clear way to get a public key
  • Docs that don’t match reality

After fighting it for way too long…

👉 It turns out the feature basically isn’t there in a usable way

What actually works?

Back to:

Personal Access Tokens (PATs)

Which is basically:

writing your door code on a sticky note and handing it to the cleaning crew

Compare that to Forgejo

Forgejo:

  • Generates keys for you
  • Keeps the private key secret
  • Shows you the public key
  • Uses deploy keys properly

GitLab:

  • Removed pull mirroring (unless you pay)
  • Pushes you toward tokens
  • Has half-working SSH options

This is the real difference

GitLab (company):

  • Makes money on hosted features
  • Moves useful functionality behind paywalls

Forgejo (community project):

  • Focuses on doing the right thing
  • Keeps workflows simple and transparent

Bottom line

It matters how an open source project is managed and motivated.

If someone tells you they need profits to provide resources to produce security, don’t just take them at their word.