Skip to content

Impersonate a GitHub App in a GitHub Action

License

Notifications You must be signed in to change notification settings

tibdex/github-app-token

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

GitHub App Token

This JavaScript GitHub Action can be used to impersonate a GitHub App when secrets.GITHUB_TOKEN's limitations are too restrictive and a personal access token is not suitable.

For instance, from GitHub Actions' docs:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

A workaround is to use a personal access token from a personal user/bot account. However, for organizations, GitHub Apps are a more appropriate automation solution.

Example Workflow

jobs:
  job:
    runs-on: ubuntu-latest
    steps:
      - id: create_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.APP_ID }}

          # Optional.
          # github_api_url: https://api.example.com

          # Optional.
          # installation_retrieval_mode: id

          # Optional.
          # installation_retrieval_payload: 1337

          # Optional.
          # Using a YAML multiline string to avoid escaping the JSON quotes.
          # permissions: >-
          #   {"pull_requests": "read"}

          private_key: ${{ secrets.PRIVATE_KEY }}

          # Optional.
          # repositories: >-
          #   ["actions/toolkit", "github/docs"]

          # Optional.
          # revoke: false

      - run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'"

Another use case for this action can (or could) be found in GitHub's own docs.