This JavaScript GitHub Action can be used to impersonate a GitHub App when secrets.GITHUB_TOKEN
's limitations are too restrictive and a personal access token is not suitable.
For instance, from GitHub Actions' docs:
When you use the repository's
GITHUB_TOKEN
to perform tasks, events triggered by theGITHUB_TOKEN
, with the exception ofworkflow_dispatch
andrepository_dispatch
, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository'sGITHUB_TOKEN
, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
A workaround is to use a personal access token from a personal user/bot account. However, for organizations, GitHub Apps are a more appropriate automation solution.
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: ${{ secrets.APP_ID }}
# Optional.
# github_api_url: https://api.example.com
# Optional.
# installation_id: 1337
# Optional.
# Using a YAML multiline string to avoid escaping the JSON quotes.
# permissions: >-
# {"members": "read"}
private_key: ${{ secrets.PRIVATE_KEY }}
# Optional.
# repository: owner/repo
- name: Use token
env:
TOKEN: ${{ steps.generate_token.outputs.token }}
run: |
echo "The generated token is masked: ${TOKEN}"
Another use case for this action can (or could) be found in GitHub's own docs.