The Secrets of An Authenticated GitHub Action Workflow
Brian Douglas
Posted on February 11, 2021
GitHub Actions is a combination of primitives for users to quickly ship integrations for their repos. Some of these primitives include the API, webhooks, and authentication.
The approach towards authentication has previously been centralized around the GITHUB_TOKEN. Before GitHub Actions, your need to create these manually.
If you are unfamiliar tokens, let me point you to the docs on creating a personal access token.
GitHub automatically creates a GITHUB_TOKEN secret to use in your Github Action workflows. You can use this GITHUB_TOKEN to authenticate in a specific workflow runs.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow.
For more information, see "Permissions for the GITHUB_TOKEN."
Permission | Access type | Access by forked repos |
---|---|---|
actions | read/write | read |
checks | read/write | read |
contents | read/write | read |
deployments | read/write | read |
issues | read/write | read |
metadata | read | read |
packages | read/write | read |
pull requests | read/write | read |
repository projects | read/write | read |
statuses | read/write | read |
If you need a token that requires permissions that aren't available in the given GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.
Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.
GITHUB_TOKEN to create an issue in my team's repository. As an aside, GitHub uses GitHub to build GitHub, and that means most teams have a repository associated with them, including (finance).
The permission to create and manage issues is granted through the GITHUB_TOKEN. To leverage it, I pass it to my created Action directly.
on:
schedule:
- cron: 01 13 * * 0
name: Top 5
jobs:
createAnIssue:
name: Create an issue
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Create an issue
uses: bdougie/create-an-issue@e43b083ea71e22e77a81ffb4a55dacb2addb71ed
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
args: .github/ISSUE_TEMPLATE/TOP5.md
This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev.
Posted on February 11, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
September 12, 2024
July 25, 2024