How to Apply Least-Privilege Scopes to a GitHub App Token
Set repositories and permissions on the token action so the minted token is limited even if the App can do more.
The create-github-app-token action lets you down-scope a token to fewer repos and fewer permissions than the App installation grants. Use it so a compromised token in one job cannot touch everything the App can.
Steps
- List only the repos the job needs in
repositories:. - Set
permission-<name>:inputs to further restrict the token. - Give each job its own narrowly scoped token.
Workflow
.github/workflows/ci.yml
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: my-org
repositories: docs-site
permission-contents: read
permission-pull-requests: writeGotchas
- You can only narrow, never exceed, what the App installation grants.
- A token scoped to one repo cannot be misused against another.
Related guides
How to Set GitHub App Permissions and Install It for CIConfigure a GitHub App with least-privilege repository permissions and install it on the repos your CI needs,…
How to Let Automation Bypass Required Reviews With a GitHub AppAllow a workflow to merge past required pull request reviews by adding a GitHub App to the branch protection…