This JavaScript GitHub Action can be used to impersonate a GitHub App when secrets.GITHUB_TOKEN
's limitations are too restrictive and a personal access token is not suitable.
For instance, from GitHub Actions' docs:
When you use the repository's
GITHUB_TOKEN
to perform tasks, events triggered by theGITHUB_TOKEN
, with the exception ofworkflow_dispatch
andrepository_dispatch
, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository'sGITHUB_TOKEN
, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
A workaround is to use a personal access token from a personal user/bot account. However, for organizations, GitHub Apps are a more appropriate automation solution.
jobs:
job:
runs-on: ubuntu-latest
steps:
- id: create_token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.APP_ID }}
# Optional.
# github_api_url: https://api.example.com
# Optional.
# installation_retrieval_mode: id
# Optional.
# installation_retrieval_payload: 1337
# Optional.
# Using a YAML multiline string to avoid escaping the JSON quotes.
# permissions: >-
# {"pull_requests": "read"}
private_key: ${{ secrets.PRIVATE_KEY }}
# Optional.
# repositories: >-
# ["actions/toolkit", "github/docs"]
# Optional.
# List of repository IDs that the token should have access to
# https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app
# https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
# repository_ids: >-
# [${{github.repository_id}}]
# Optional.
# revoke: false
- run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'"
Another use case for this action can (or could) be found in GitHub's own docs.