Obtain temporary Access Tokens for GitHub Actions workflows by requesting GitHub App Installation Access Tokens.
Authorization is based on the GitHub Actions OIDC tokens and .github/access-token.yaml file in the target repositories.
- This GitHub action will request an access token for a Target Repository from the App Server, authorize by the GitHub Action OIDC Token.
- The App Server requests a GitHub App Installation Token to read
.github/access-token.yamlfile in Granting Repository. - The App Server reads
.github/access-token.yamlfile from Target Repository and determine which permissions should be granted to Requesting GitHub Action Identity. - The App Server requests a GitHub App Installation Token with granted permissions for Requesting GitHub Action Identity and send it back in response to this GitHub action from step
1.. - This GitHub action sets the token as the step output field
token - Further job steps can then utilize this token to access resources of the Granting Repository e.g.
${{ steps.<ACCESS_TOKEN_STEP_ID>.outputs.token }}.
See Action Metadata and Example Use Cases.
Install Access Tokens for GitHub Actions from Marketplace or host and install your own GitHub App
Warning
Be aware by installing the access token GitHub App everybody with write assess to .github/access-token.yaml can grant repository access permissions to GitHub Actions workflow runs.
Tip
For organizations on GitHub Enterprise plan it is possible to restrict write access to .github/access-token.yaml to repository admins only by using a push ruleset
Protect access token policy ruleset
- Create a new push ruleset
- Set
Ruleset NametoProtect access token policy - Set
Enforcement statustoActive - Hit
Add bypass, selectRepository adminand hitAdd selected - Set
Target repositoriestoAll repositories - Enable
Restrict file paths- Click
Add file path, setFile pathto.github/access-token.yamland hitAdd file path- Also add file path
.github/access-token.yml
- Also add file path
- Click
- Hit
Createbutton
Create a OWNER/.github-access-token repository and create an access-token.yaml file at the root directory of the repository based on this policy template
Important
Ensure repository permissions have been granted (allowed-repository-permissions) within the owner access policy file see Create and Configure Owner Policy
To grant repository permission create an access-token.yaml file within the .github/ directory of the target repository with this template content
Note
You can also grant permissions to all organization repositories within the owner access policy file see Create and Configure Owner Policy
on:
workflow_dispatch:
schedule:
- cron: '0 12 * * *' # every day at 12:00 UTC
jobs:
update-secret:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
permissions: |
secrets: write
- name: Update secret
run: >-
gh secret
set 'API_KEY'
--body "$(date +%s)"
--repo ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.access-token.outputs.token }}
read-secret:
needs: update-secret
runs-on: ubuntu-latest
steps:
- run: echo ${{ secrets.API_KEY }}name: GitHub Actions Access Manager Example
on:
workflow_dispatch:
push:
branches:
- main
jobs:
checkout:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
repository: [target repository]
permissions: |
contents: read
- uses: actions/checkout@v4
with:
repository: [target repository]
token: ${{ steps.access-token.outputs.token }}on:
workflow_dispatch:
push:
branches:
- main
permissions:
id-token: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
permissions: |
actions: write
- name: Trigger workflow
run: >-
gh workflow
run [target workflow].yml
--field logLevel=debug
env:
GITHUB_TOKEN: ${{steps.access-token.outputs.token}}
# ...- Run actions-release workflow to create a new action release