Skip to content
Latchkey

How to Apply Least-Privilege Scopes to a GitHub App Token

Set repositories and permissions on the token action so the minted token is limited even if the App can do more.

The create-github-app-token action lets you down-scope a token to fewer repos and fewer permissions than the App installation grants. Use it so a compromised token in one job cannot touch everything the App can.

Steps

  • List only the repos the job needs in repositories:.
  • Set permission-<name>: inputs to further restrict the token.
  • Give each job its own narrowly scoped token.

Workflow

.github/workflows/ci.yml
steps:
  - uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
      owner: my-org
      repositories: docs-site
      permission-contents: read
      permission-pull-requests: write

Gotchas

  • You can only narrow, never exceed, what the App installation grants.
  • A token scoped to one repo cannot be misused against another.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →