5d8710e8c9
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>
5.4 KiB
title, intro, redirect_from, versions, shortTitle
| title | intro | redirect_from | versions | shortTitle | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Use GITHUB_TOKEN for authentication in workflows | Learn how to use the `GITHUB_TOKEN` to authenticate on behalf of {% data variables.product.prodname_actions %}. |
|
|
Authenticate with GITHUB_TOKEN |
This tutorial leads you through how to use the GITHUB_TOKEN for authentication in {% data variables.product.prodname_actions %} workflows, including examples for passing the token to actions, making API requests, and configuring permissions for secure automation.
For reference information, see AUTOTITLE.
Using the GITHUB_TOKEN in a workflow
You can use the GITHUB_TOKEN by using the standard syntax for referencing secrets: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}. Examples of using the GITHUB_TOKEN include passing the token as an input to an action, or using it to make an authenticated {% data variables.product.github %} API request.
Important
An action can access the
GITHUB_TOKENthrough thegithub.tokencontext even if the workflow does not explicitly pass theGITHUB_TOKENto the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to theGITHUB_TOKEN. For more information, see AUTOTITLE.
Example 1: passing the GITHUB_TOKEN as an input
{% data reusables.actions.github_token-input-example %}
Example 2: calling the REST API
You can use the GITHUB_TOKEN to make authenticated API calls. This example workflow creates an issue using the {% data variables.product.prodname_dotcom %} REST API:
name: Create issue on commit
on: [ push ]
jobs:
create_issue:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Create issue using REST API
run: |
curl --request POST \
--url {% data variables.product.rest_url %}/repos/${% raw %}{{ github.repository }}{% endraw %}/issues \
--header 'authorization: Bearer ${% raw %}{{ secrets.GITHUB_TOKEN }}{% endraw %}' \
--header 'content-type: application/json' \
--data '{
"title": "Automated issue for commit: ${% raw %}{{ github.sha }}{% endraw %}",
"body": "This issue was automatically created by the GitHub Action workflow **${% raw %}{{ github.workflow }}{% endraw %}**. \n\n The commit hash was: _${% raw %}{{ github.sha }}{% endraw %}_."
}' \
--fail
Modifying the permissions for the GITHUB_TOKEN
Use the permissions key in your workflow file to modify permissions for the GITHUB_TOKEN for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. As a good security practice, you should grant the GITHUB_TOKEN the least required access.
To see the list of permissions available for use and their parameterized names, see AUTOTITLE.
The two workflow examples earlier in this article show the permissions key being used at the job level.
Granting additional permissions
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see AUTOTITLE. Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}${{ secrets.SECRET_NAME }}{% endraw %} syntax. For more information, see AUTOTITLE and AUTOTITLE.