Obtain temporary Access Tokens for GitHub Actions workflows by requesting GitHub App Installation Access Tokens.
Authorization is based on the GitHub Actions OIDC tokens and .github/access-token.yaml file in the target repositories.
- This GitHub action will request an access token for a Target Repository from the App Server, authorize by the GitHub Action OIDC Token.
- The App Server requests a GitHub App Installation Token to read
.github/access-token.yamlfile in Granting Repository. - The App Server reads
.github/access-token.yamlfile from Target Repository and determine which permissions should be granted to Requesting GitHub Action Identity. - The App Server requests a GitHub App Installation Token with granted permissions for Requesting GitHub Action Identity and send it back in response to this GitHub action from step
1.. - This GitHub action sets the token as the step output field
token - Further job steps can then utilize this token to access resources of the Granting Repository e.g.
${{ steps.<ACCESS_TOKEN_STEP_ID>.outputs.token }}.
See Action Metadata and Example Use Cases.
Install Access Tokens for GitHub Actions from Marketplace or host and install your own GitHub App
Warning
Be aware by installing the access token GitHub App everybody with write assess to .github/access-token.yaml can grant repository access permissions to GitHub Actions workflow runs.
Tip
For organizations on GitHub Enterprise plan it is possible to restrict write access to .github/access-token.yaml to repository admins only by using a push ruleset
Protect access token policy ruleset
- Create a new push ruleset
- Set
Ruleset NametoProtect access token policy - Set
Enforcement statustoActive - Hit
Add bypass, selectRepository adminand hitAdd selected - Set
Target repositoriestoAll repositories - Enable
Restrict file paths, hitAdd file path, setFile pathto.github/access-token.yamland hitAdd file path - Hit
Createbutton
Note
You can also grant repository permissions by owner access token policy see Setup Owner Permission Access
Click me
To grant repository permission create an access-token.yaml file within the .github/ directory of the target repository with this template content
Click me
To grant owner specific or owner wide permission create a OWNER/.github-access-token repository and create an access-token.yaml file at root of the repository with this template content
Click me
on:
workflow_dispatch:
schedule:
- cron: '0 12 * * *' # every day at 12:00 UTC
jobs:
update-secret:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
permissions: |
secrets: write
- name: Update secret
run: >-
gh secret
set 'API_KEY'
--body "$(date +%s)"
--repo ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.access-token.outputs.token }}
read-secret:
needs: update-secret
runs-on: ubuntu-latest
steps:
- run: echo ${{ secrets.API_KEY }}Click me
name: GitHub Actions Access Manager Example
on:
workflow_dispatch:
push:
branches:
- main
jobs:
checkout:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
repository: [target repository]
permissions: |
contents: read
- uses: actions/checkout@v4
with:
repository: [target repository]
token: ${{ steps.access-token.outputs.token }}Click me
on:
workflow_dispatch:
push:
branches:
- main
permissions:
id-token: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: qoomon/actions--access-token@v3
id: access-token
with:
permissions: |
actions: write
- name: Trigger workflow
run: >-
gh workflow
run [target workflow].yml
--field logLevel=debug
env:
GITHUB_TOKEN: ${{steps.access-token.outputs.token}}
# ...- Run actions-release workflow to create a new action release
- add token hash to output in main and post action