About Actions authentication
If you need to make authenticated API requests in a Actions workflow or need to execute a custom action that requires a token, you should use the built-in _TOKEN if possible. However, the _TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a App. For more information about why you might use a App over a personal access token, see About creating Apps.
Authenticating with a App
In order to use a App to make authenticated API requests, you must register a App, store your app's credentials, and install your app. Once this is done, you can use your app to create an installation access token, which can be used to make authenticated API requests in a Actions workflow. You can also pass the installation access token to a custom action that requires a token.
Register a App. Give your App registration the necessary permissions to access the desired resources. For more information, see Registering a App and Choosing permissions for a App.
Store the app ID of your App as a Actions configuration variable. You can find the app ID on the settings page for your app. The app ID is different from the client ID. For more information about navigating to the settings page for your App, see Modifying a App registration. For more information about storing configuration variables, see Store information in variables.
Generate a private key for your app. Store the contents of the resulting file as a secret. (Store the entire contents of the file, including
-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----.) For more information, see Managing private keys for Apps. For more information about storing secrets, see Using secrets in Actions.Install the App on your user account or organization and grant it access to any repositories that you want your workflow to access. For more information, see Installing your own App.
In your Actions workflow, create an installation access token, which you can use to make API requests.
To do this, you can use a -owned action as demonstrated in the following example. If you prefer to not use this action, you can fork and modify the
actions/create--app-tokenaction, or you can write a script to make your workflow create an installation token manually. For more information, see Authenticating as a App installation.The following example workflow uses the
actions/create--app-tokenaction to generate an installation access token. Then, the workflow uses the token to make an API request via the CLI.In the following workflow, replace
APP_IDwith the name of the configuration variable where you stored your app ID. ReplaceAPP_PRIVATE_KEYwith the name of the secret where you stored your app private key.
on:
workflow_dis:
jobs:
demo_app_authentication:
runs-on: ubuntu-latest
steps:
- name: Generate a token
id: generate-token
uses: actions/create--app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Use the token
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
gh api octocat
on:
workflow_dis:
jobs:
demo_app_authentication:
runs-on: ubuntu-latest
steps:
- name: Generate a token
id: generate-token
uses: actions/create--app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Use the token
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
gh api octocat