1

I'm running Github actions workflow in a private repo, and it pushes changes in a public repo. I'm providing my GitHub token in the private repo for the workflow github actions. Will my token leak in my public repo .git?

Can somebody clarify this? I'm don't have knowledge of security things :(

kometen
  • 6,536
  • 6
  • 41
  • 51
Spooky
  • 205
  • 1
  • 2
  • 7
  • are you configuring your secret as an Action Secret or are you pushing it to the repository? – rethab Nov 30 '21 at 07:42

1 Answers1

1

The Automatic token authentication page uses a GITHUB_TOKEN secret, which should, as its name suggests, remains... a secret.

At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow.
You can use the GITHUB_TOKEN to authenticate in a workflow run.

The GITHUB_TOKEN secret is a GitHub App installation access token.
You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository.
The token's permissions are limited to the repository that contains your workflow.

So you should not need to use your own GitHub token, only the one generated by GitHub Action.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250