This Git repository contains a simple GitHub Action that generates a GitHub Access Token based upon specific inputs.
Access tokens are necessary in GitHub Actions when the built-in GITHUB_TOKEN does not provide the required permissions to perform certain actions. The GITHUB_TOKEN in GitHub Actions, when used to perform tasks, will not trigger new workflow runs. Because the GITHUB_TOKEN has limitations and cannot trigger new workflow runs in certain cases, actions that want to perform actions that trigger a workflow need to use a different token. An access token with the necessary permissions can be used for this purpose, and this action can be used to generate such a token.
The action takes in some inputs and uses them to create a token that can be used to interact with the GitHub API.
The rationale behind this repository is to maintain simplicity and security at the forefront. It should be noted that the token generator may not be entirely suitable for all potential use cases due to limited flexibility. As a deliberate measure, customization options such as the utilization of custom GitHub URLs have been intentionally excluded. This decision was made based on the principle that less functionality translates to reduced testing and maintenance efforts, fewer bugs, easier code review, and less susceptibility to security vulnerabilities. The code base consist of a single short typescript source code file.
- app_id: Required. Number. Github App Id - found in the app settings.
- private_key: Required. String. The private key of the GitHub App in PEM format. This includes -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- markers.
- installation_id: Optional. Number. The ID of the app installation - found in url of the installation. If not provided, the default is the ID of an installation found using the repository input for the action.
- repository: Optional. String. Repository name in the format owner/repo. Default value is the name of the current repository. The value is only used if installation_id is not provided. The repository is used to get the installation id for the app. It's expected the app is installed in the provided repository.
- token: The generated GitHub Access Token.
View some other repository that-org/that-repo from this one without specifying installation id. Note that the app with the given primary key must actually be installed in the that-org/that-repo, but not required in the current repository:
- name: Generate an access token using app_id, pk and repo-name
id: gen_token
uses: kattecon/gh-app-access-token-gen@v1
with:
app_id: 12345 # Or rather use a value from secrets/vars.
private_key: ${{ secrets.MY_APP_PK }}
repository: that-org/that-repo
- name: Perform an action on behalf of the app
env:
GH_TOKEN: ${{ steps.gen_token.outputs.token }}
run: gh repo view that-org/that-repoView some other repository that-org/that-repo using an explicitly given installation id. The given installation is the one that gives access to that-org/that-repo in the example:
- name: Generate an access token using app_id, pk and installation id
id: gen_token
uses: kattecon/gh-app-access-token-gen@v1
with:
app_id: 12345 # Or rather use a value from secrets/vars.
private_key: ${{ secrets.MY_APP_PK }}
installation_id: 54321 # Or rather use a value from secrets/vars.
- name: Perform an action on behalf of the app
env:
GH_TOKEN: ${{ steps.gen_token.outputs.token }}
run: gh repo view that-org/that-repoView some other repository that-org/that-repo assuming that the repository of the running workflow and the that-org/that-repo are included into the same installation of the app with the given private key:
- name: Generate an access token using app_id, pk
id: gen_token
uses: kattecon/gh-app-access-token-gen@v1
with:
app_id: 12345 # Or rather use a value from secrets/vars.
private_key: ${{ secrets.MY_APP_PK }}
- name: Perform an action on behalf of the app
env:
GH_TOKEN: ${{ steps.gen_token.outputs.token }}
run: gh repo view that-org/that-repo