Skip to main content
← Back to workflows

How to Use GitHub App Token Action

tibdex/github-app-token -
GitHub Action
v2.1.0
503
Contributors
Contributor - tibdexContributor - abebehailuContributor - armanbilge
Categories
GitHub
CICUBE ANALYTICS INSIGHTS
Engineering Velocity: 25% Team Time Lost to CI Issues
View Platform →
3.5h
Time Saved/Dev/Week
40%
Faster Releases
Click for next insight
Usage
jobs:
  job:
    runs-on: ubuntu-latest
    steps:
      - id: create_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.PRIVATE_KEY }}
      - run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'"

github-app-token logo

github-app-token

Impersonate a GitHub App in a GitHub Action

How to Use GitHub App Token Action

The GitHub App Token Action is a JavaScript-based GitHub Action that allows you to impersonate a GitHub App. The benefit would primarily be when, by default secrets.GITHUB_TOKEN is too constraining for your use, and a personal access token (PAT) wouldn't serve the use case.

  • For certain events where using the repository's GITHUB_TOKEN to act would trigger new runs of workflows, use with caution to avoid running recursively.
  • Although you can technically use a PAT from a personal user/bot account, for organizations, the right way to do automation is via GitHub Apps.

GitHub App Token Setup

  1. GitHub App ID and Private Key:
  • app_id: Your GitHub App ID.
  • private_key: The private key of your GitHub App.
  1. Optional Parameters

  • github_api_url - The URL to the GitHub API. Useful for GitHub Enterprise.

  • installation_retrieval_mode: Mode to retrieve installation. The default is id.

  • The installation_retrieval_payload: Payload for identification mode.

  • permissions: The JSON object that expresses the permission set for the token.

  • repositories: List of repositories the token is for granting access to.

  • revoke: Whether to revoke the token after using it.

Use optional parameters to fine-tune permissions, specifically repository access, for augmentation of security and usability.

Getting your GitHub App credentials

To acquire the appropriate credentials:

  • App ID: Available in the settings for your GitHub App.
  • Private Key: Created during the creation of the GitHub App, be sure to keep this in a secure location.

When you store your credentials securely with GitHub Secrets, no one unauthorized will get access to them, and your automation process stays intact in its integrity.

Performing these then gives you the ability to make use of the GitHub App token action dynamically—imagine impersonating a GitHub App—in your workflows, all with safe and appropriate automation for the organization. That's flexibility, better security, and the tweaking capability for permissions and access on need.