Generate a GitHub App installation access token in GitHub Actions.
This action generates an installation access token for a specified GitHub App, enabling authentication in GitHub Actions workflows. You can specify one or more repositories to define its access scope.
steps:
- name: Generate GitHub Token
uses: tmknom/generate-github-token-action@v0
with:
app-id: <your-github-app-id>
app-private-key: <your-github-app-private-key>
repositories: foo-repo bar-repo| Name | Description | Default | Required |
|---|---|---|---|
| app-id | The ID of the GitHub App. | n/a | yes |
| app-private-key | The private key associated with the GitHub App. | n/a | no |
| app-private-key-file | The file path to the GitHub App's private key. | n/a | no |
| repositories | A space-separated list of repositories that the token grants access to. | n/a | no |
| Name | Description |
|---|---|
| token | The installation access token for the specified GitHub App. |
This action does not require additional GITHUB_TOKEN permissions in the workflow file.
However, make sure your GitHub App has the necessary permissions configured.
GitHub Actions provides a built-in GITHUB_TOKEN for workflows,
but it has limited permissions and cannot be used outside the workflow.
Personal Access Tokens (PATs) offer broader access, but they are tied to individual users, making them harder to manage and less secure in team environments. Additionally, PATs do not expire automatically, posing security risks if not revoked manually.
GitHub Apps use Installation Access Tokens, which provide several key advantages:
- Access beyond the repository where the workflow runs:
GITHUB_TOKENis restricted to its own repository, but installation tokens allow access to other repositories as needed. - Short-lived tokens: Unlike PATs, which remain valid until manually revoked, installation tokens expire automatically after a short period, reducing exposure in case of compromise.
- Scoped repository access control: A GitHub App’s permissions define the maximum set of accessible repositories, but installation tokens enable additional security by allowing you to specify only the required repositories at runtime.
This action automates the creation of Installation Access Tokens within GitHub Actions, ensuring secure and seamless authentication.
You need a GitHub App installation access token in the following cases:
- Accessing permissions unavailable to
GITHUB_TOKEN: Some permissions (e.g.,workflows) require a GitHub App token. - Approving pull requests created with
GITHUB_TOKEN: The creator of a pull request cannot approve it due to GitHub’s restrictions. - Creating pull requests in workflows that trigger
pull_requestevents:GITHUB_TOKENdoes not triggerpull_requestworkflows when creating pull requests.
Yes.
Provide a space-separated list of repositories in the repositories input.
The generated token grants access to all specified repositories.
GitHub installation access tokens expire after one hour. Ensure your workflow regenerates the token as needed.
Installation access tokens expire automatically after one hour. To revoke a token immediately, use tmknom/revoke-github-token-action.
No.
This action generates an installation access token with the required repository permissions,
so no additional permissions settings are needed in the workflow file.
Yes.
You can provide the private key either as a string (app-private-key) or as a file path (app-private-key-file).
Using a file path is useful for managing secrets in the runner environment.
Yes. This action automatically masks credentials to prevent exposure in logs.
To set up the required permissions for your GitHub App:
- Go to
GitHub > Settings > Developer settings > GitHub Appsand select your app. - Under
Permissions, configure access levels for the required resources. - Save your changes and install the GitHub App on the necessary repositories or organizations.
For details, refer to GitHub Documentation.
Note
Installation permissions may differ from the app's configured permissions. If the app requests additional permissions after installation, an administrator must approve them.
- revoke-github-token-action: Revokes a GitHub App installation access token for GitHub Actions.
- private-generate-github-token-action: Generates an installation access token for private use.
See GitHub Releases.
Click to expand repository administrator guide
This section provides guidance for repository administrators on configuration settings that are managed outside the codebase.
The following secrets are stored in Repository Secrets for use in the test workflow:
TESTING_APP_ID: The ID of the GitHub AppTesting for tmknom.TESTING_APP_PRIVATE_KEY: The private key of the GitHub AppTesting for tmknom.
These secrets authenticate the GitHub App.
[!NOTE]
Testing for tmknomis a GitHub App used exclusively for testing workflows. For more details, see the internal-docs repository (private).
The following variables are stored in Repository Variables for use in the test workflow:
TESTING_REPOSITORY: The private repository for testing.TESTING_REPOSITORY_INITIAL_COMMIT: The hash of the initial commit in the testing repository.TESTING_ADDITIONAL_REPOSITORY: The additional private repository for testing.TESTING_ADDITIONAL_REPOSITORY_INITIAL_COMMIT: The hash of the initial commit in the additional testing repository.TESTING_APP_PRIVATE_KEY_FINGERPRINT: The fingerprint of the private key for the GitHub AppTesting for tmknom.
These values are not sensitive. Since Repository Secrets cannot be accessed after being set, non-sensitive values are stored as Repository Variables for easier management.