How to Check Out Private Repos With a GitHub App Token
A GitHub App installation token is short-lived and scoped to chosen repos, making it safer than a personal access token for cross-repo checkouts.
Install a GitHub App on the target repos, then mint an installation token in the job with actions/create-github-app-token and pass it to actions/checkout as the token:.
Steps
- Create a GitHub App and install it on the repos you need to read.
- Store the App id and private key as secrets.
- Mint a token with
actions/create-github-app-tokenand pass it to checkout.
Workflow
.github/workflows/ci.yml
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: my-org
repositories: shared-tools
- uses: actions/checkout@v4
with:
repository: my-org/shared-tools
token: ${{ steps.app-token.outputs.token }}Gotchas
- Installation tokens expire after one hour, so mint them inside the job that uses them.
- Scope the App to the fewest repos and permissions the workflow actually needs.
Related guides
How to Check Out Multiple Repositories in One JobClone more than one repository into a single GitHub Actions job with actions/checkout using the repository in…
How to Share Secrets Across Repos With Organization SecretsDefine a secret once at the organization level and scope it to selected repositories, so many repos share the…