The Secrets of An Authenticated GitHub Action Workflow

Brian Douglas - Feb 11 '21 - - Dev Community

GitHub Actions is a combination of primitives for users to quickly ship integrations for their repos. Some of these primitives include the API, webhooks, and authentication.

The approach towards authentication has previously been centralized around the GITHUB_TOKEN. Before GitHub Actions, your need to create these manually.

If you are unfamiliar tokens, let me point you to the docs on creating a personal access token.

GitHub automatically creates a GITHUB_TOKEN secret to use in your Github Action workflows. You can use this GITHUB_TOKEN to authenticate in a specific workflow runs.

When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow.

For more information, see "Permissions for the GITHUB_TOKEN."

Permission Access type Access by forked repos
actions read/write read
checks read/write read
contents read/write read
deployments read/write read
issues read/write read
metadata read read
packages read/write read
pull requests read/write read
repository projects read/write read
statuses read/write read

If you need a token that requires permissions that aren't available in the given GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.

GITHUB_TOKEN to create an issue in my team's repository. As an aside, GitHub uses GitHub to build GitHub, and that means most teams have a repository associated with them, including (finance).

The permission to create and manage issues is granted through the GITHUB_TOKEN. To leverage it, I pass it to my created Action directly.

on:
  schedule:
  - cron: 01 13 * * 0
name: Top 5
jobs:
  createAnIssue:
    name: Create an issue
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Create an issue
      uses: bdougie/create-an-issue@e43b083ea71e22e77a81ffb4a55dacb2addb71ed
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        args: .github/ISSUE_TEMPLATE/TOP5.md
Enter fullscreen mode Exit fullscreen mode

This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .