Skip to content
Latchkey

How to Check Out Private Repos With a GitHub App Token

A GitHub App installation token is short-lived and scoped to chosen repos, making it safer than a personal access token for cross-repo checkouts.

Install a GitHub App on the target repos, then mint an installation token in the job with actions/create-github-app-token and pass it to actions/checkout as the token:.

Steps

  • Create a GitHub App and install it on the repos you need to read.
  • Store the App id and private key as secrets.
  • Mint a token with actions/create-github-app-token and pass it to checkout.

Workflow

.github/workflows/ci.yml
steps:
  - uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ secrets.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
      owner: my-org
      repositories: shared-tools
  - uses: actions/checkout@v4
    with:
      repository: my-org/shared-tools
      token: ${{ steps.app-token.outputs.token }}

Gotchas

  • Installation tokens expire after one hour, so mint them inside the job that uses them.
  • Scope the App to the fewest repos and permissions the workflow actually needs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →